From 52e8c5683843f3d5f9e979cbc0261d3951a7e0be Mon Sep 17 00:00:00 2001
From: Hao Wu <hao.a.wu@intel.com>
Date: Mon, 18 Dec 2017 09:16:00 +0800
Subject: [PATCH] BaseTools/EfiRom: Add/refine boundary checks for
 strcpy/strcat calls

Add checks to ensure when the destination string buffer is of fixed
size, the strcpy/strcat functions calls will not access beyond the
boundary.

Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
---
 BaseTools/Source/C/EfiRom/EfiRom.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/BaseTools/Source/C/EfiRom/EfiRom.c b/BaseTools/Source/C/EfiRom/EfiRom.c
index 6648f4c738..fc3b5ad277 100644
--- a/BaseTools/Source/C/EfiRom/EfiRom.c
+++ b/BaseTools/Source/C/EfiRom/EfiRom.c
@@ -96,7 +96,13 @@ Returns:
   //
   if (!mOptions.OutFileName[0]) {
     if (mOptions.FileList != NULL) {
-      strcpy (mOptions.OutFileName, mOptions.FileList->FileName);
+      if (strlen (mOptions.FileList->FileName) >= MAX_PATH) {
+        Status = STATUS_ERROR;
+        Error (NULL, 0, 2000, "Invalid parameter", "Input file name is too long - %s.", mOptions.FileList->FileName);
+        goto BailOut;
+      }
+      strncpy (mOptions.OutFileName, mOptions.FileList->FileName, MAX_PATH - 1);
+      mOptions.OutFileName[MAX_PATH - 1] = 0;
       //
       // Find the last . on the line and replace the filename extension with
       // the default
-- 
2.39.2