From 885c3060c193c9f4c3e3430c82c8c3e8fc574398 Mon Sep 17 00:00:00 2001 From: Hao Wu Date: Mon, 13 Jul 2015 01:22:21 +0000 Subject: [PATCH] IntelFrameworkModulePkg GenericBdsLib: Potential read over memory boudary This commit will resolve the issue brought by r17733. StringBuffer1 = AllocateCopyPool ( MAX_STRING_LEN * sizeof (CHAR16), L"Configuration changed. Reset to apply it Now." ); The above using of AllocateCopyPool() will read contents out of the scope of the constant string. Potential risk for the constant string allocated at the boundary of memory region. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu Reviewed-by: Qiu Shumin Reviewed-by: Jeff Fan git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17929 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Library/GenericBdsLib/BdsMisc.c | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c b/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c index b5be63140f..24c1998a14 100644 --- a/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c +++ b/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c @@ -1127,16 +1127,20 @@ SetupResetReminder ( if (IsResetReminderFeatureEnable ()) { if (IsResetRequired ()) { - StringBuffer1 = AllocateCopyPool ( - MAX_STRING_LEN * sizeof (CHAR16), - L"Configuration changed. Reset to apply it Now." - ); + StringBuffer1 = AllocateZeroPool (MAX_STRING_LEN * sizeof (CHAR16)); ASSERT (StringBuffer1 != NULL); - StringBuffer2 = AllocateCopyPool ( - MAX_STRING_LEN * sizeof (CHAR16), - L"Press ENTER to reset" - ); + StringBuffer2 = AllocateZeroPool (MAX_STRING_LEN * sizeof (CHAR16)); ASSERT (StringBuffer2 != NULL); + StrCpyS ( + StringBuffer1, + MAX_STRING_LEN, + L"Configuration changed. Reset to apply it Now." + ); + StrCpyS ( + StringBuffer2, + MAX_STRING_LEN, + L"Press ENTER to reset" + ); // // Popup a menu to notice user // -- 2.39.2