From 24ee1ccaf8310dd4f0bf591de7b71175cad5c865 Mon Sep 17 00:00:00 2001 From: li-elvin Date: Wed, 17 Oct 2012 06:07:27 +0000 Subject: [PATCH] Fix buffer overflow issue in Consplitter. Signed-off-by: Li Elvin Reviewed-by: Ni Ruiyu git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13857 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Console/ConSplitterDxe/ConSplitter.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c index 2508273398..bcb9fd6f73 100644 --- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c +++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c @@ -2109,6 +2109,8 @@ ConSplitterGrowMapTable ( INT32 *OldTextOutModeMap; INT32 *SrcAddress; INT32 Index; + UINTN OldStepSize; + UINTN NewStepSize; NewSize = Private->TextOutListCount * sizeof (INT32); OldTextOutModeMap = Private->TextOutModeMap; @@ -2146,14 +2148,26 @@ ConSplitterGrowMapTable ( Size = Private->CurrentNumberOfConsoles * sizeof (INT32); Index = 0; SrcAddress = OldTextOutModeMap; + NewStepSize = NewSize / sizeof(INT32); + // If Private->CurrentNumberOfConsoles is not zero and OldTextOutModeMap + // is not NULL, it indicates that the original TextOutModeMap is not enough + // for the new console devices and has been enlarged by CONSOLE_SPLITTER_ALLOC_UNIT columns. + // + OldStepSize = NewStepSize - CONSOLE_SPLITTER_ALLOC_UNIT; // // Copy the old data to the new one // while (Index < Private->TextOutMode.MaxMode) { CopyMem (TextOutModeMap, SrcAddress, Size); - TextOutModeMap += NewSize; - SrcAddress += Size; + // + // Go to next row of new TextOutModeMap. + // + TextOutModeMap += NewStepSize; + // + // Go to next row of old TextOutModeMap. + // + SrcAddress += OldStepSize; Index++; } // -- 2.39.2