From 9f25f7ddd0c3f8c9582ce523f7079d4a18218030 Mon Sep 17 00:00:00 2001
From: "Gao, Liming" <liming.gao@intel.com>
Date: Wed, 26 Mar 2014 09:27:01 +0000
Subject: [PATCH] Add check to make sure the data be valid.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Zeng, Star <star.zeng@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15393 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../PlatDriOverrideDxe.c                      | 10 ++--
 .../PlatDriOverrideLib.c                      | 60 ++++++++++++++++---
 2 files changed, 57 insertions(+), 13 deletions(-)

diff --git a/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideDxe.c b/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideDxe.c
index ab254a0b45..3c55a785fc 100644
--- a/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideDxe.c
+++ b/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideDxe.c
@@ -13,7 +13,7 @@
   4. It save all the mapping info in NV variables which will be consumed
      by platform override protocol driver to publish the platform override protocol.
 
-Copyright (c) 2007 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -1240,6 +1240,7 @@ PlatOverMngrRouteConfig (
   EFI_CALLBACK_INFO                         *Private;
   UINT16                                    KeyValue;
   PLAT_OVER_MNGR_DATA                       *FakeNvData;
+  EFI_STATUS                                Status;
 
   if (Configuration == NULL || Progress == NULL) {
     return EFI_INVALID_PARAMETER;
@@ -1260,11 +1261,12 @@ PlatOverMngrRouteConfig (
     return EFI_SUCCESS;
   }
 
+  Status = EFI_SUCCESS;
   if (mCurrentPage == FORM_ID_DRIVER) {
     KeyValue = KEY_VALUE_DRIVER_GOTO_ORDER;
     UpdatePrioritySelectPage (Private, KeyValue, FakeNvData);
     KeyValue = KEY_VALUE_ORDER_SAVE_AND_EXIT;
-    CommintChanges (Private, KeyValue, FakeNvData);
+    Status = CommintChanges (Private, KeyValue, FakeNvData);
     //
     // Since UpdatePrioritySelectPage will change mCurrentPage,
     // should ensure the mCurrentPage still indicate the second page here
@@ -1274,10 +1276,10 @@ PlatOverMngrRouteConfig (
 
   if (mCurrentPage == FORM_ID_ORDER) {
     KeyValue = KEY_VALUE_ORDER_SAVE_AND_EXIT;
-    CommintChanges (Private, KeyValue, FakeNvData);
+    Status = CommintChanges (Private, KeyValue, FakeNvData);
   }
 
-  return EFI_SUCCESS;
+  return Status;
 }
 
 /**
diff --git a/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c b/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
index 2391ade211..d07f62ab4a 100644
--- a/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
+++ b/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
@@ -1,7 +1,7 @@
 /** @file
   Implementation of the shared functions to do the platform driver vverride mapping.
 
-  Copyright (c) 2007 - 2009, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -691,12 +691,17 @@ InitOverridesMapping (
   //
   VariableNum = 1;
   Corrupted = FALSE;
+  NotEnd = 0;
   do {
     VariableIndex = VariableBuffer;
-    //
-    // End flag
-    //
-    NotEnd = *(UINT32*) VariableIndex;
+    if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer + BufferSize) {
+      Corrupted = TRUE;
+    } else {
+      //
+      // End flag
+      //
+      NotEnd = *(UINT32*) VariableIndex;
+    }
     //
     // Traverse the entries containing the mapping that Controller Device Path
     // to a set of Driver Device Paths within this variable.
@@ -706,6 +711,10 @@ InitOverridesMapping (
       //
       // Check signature of this entry
       //
+      if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer + BufferSize) {
+        Corrupted = TRUE;
+        break;
+      }
       Signature = *(UINT32 *) VariableIndex;
       if (Signature != PLATFORM_OVERRIDE_ITEM_SIGNATURE) {
         Corrupted = TRUE;
@@ -722,6 +731,10 @@ InitOverridesMapping (
       //
       // Get DriverNum
       //
+      if (VariableIndex + sizeof (UINT32) >= (UINT8 *) VariableBuffer + BufferSize) {
+        Corrupted = TRUE;
+        break;
+      }
       DriverNumber = *(UINT32*) VariableIndex;
       OverrideItem->DriverInfoNum = DriverNumber;
       VariableIndex = VariableIndex + sizeof (UINT32);
@@ -735,6 +748,14 @@ InitOverridesMapping (
       // Align the VariableIndex since the controller device path may not be aligned, refer to the SaveOverridesMapping()
       //
       VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1));
+      //
+      // Check buffer overflow.
+      //
+      if ((OverrideItem->ControllerDevicePath == NULL) || (VariableIndex < (UINT8 *) ControllerDevicePath) || 
+          (VariableIndex > (UINT8 *) VariableBuffer + BufferSize)) {
+        Corrupted = TRUE;
+        break;
+      }
 
       //
       // Get all DriverImageDevicePath[]
@@ -756,8 +777,20 @@ InitOverridesMapping (
         VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1));
 
         InsertTailList (&OverrideItem->DriverInfoList, &DriverImageInfo->Link);
+
+        //
+        // Check buffer overflow
+        //
+        if ((DriverImageInfo->DriverImagePath == NULL) || (VariableIndex < (UINT8 *) DriverDevicePath) || 
+            (VariableIndex < (UINT8 *) VariableBuffer + BufferSize)) {
+          Corrupted = TRUE;
+          break;
+        }
       }
       InsertTailList (MappingDataBase, &OverrideItem->Link);
+      if (Corrupted) {
+        break;
+      }
     }
 
     FreePool (VariableBuffer);
@@ -866,11 +899,11 @@ DeleteOverridesVariables (
   //
   // Check NotEnd to get all PlatDriOverX variable(s)
   //
-  while ((*(UINT32*)VariableBuffer) != 0) {
+  while ((VariableBuffer != NULL) && ((*(UINT32*)VariableBuffer) != 0)) {
+    FreePool (VariableBuffer);
     UnicodeSPrint (OverrideVariableName, sizeof (OverrideVariableName), L"PlatDriOver%d", VariableNum);
     VariableBuffer = GetVariableAndSize (OverrideVariableName, &gEfiCallerIdGuid, &BufferSize);
     VariableNum++;
-    ASSERT (VariableBuffer != NULL);
   }
 
   //
@@ -1057,10 +1090,19 @@ SaveOverridesMapping (
                     VariableNeededSize,
                     VariableBuffer
                     );
-    ASSERT (!EFI_ERROR(Status));
+    FreePool (VariableBuffer);
+
+    if (EFI_ERROR (Status)) {
+      if (NumIndex > 0) {
+        //
+        // Delete all PlatDriOver variables when full mapping can't be set.  
+        //
+        DeleteOverridesVariables ();
+      }
+      return Status;
+    }
 
     NumIndex ++;
-    FreePool (VariableBuffer);
   }
 
   return EFI_SUCCESS;
-- 
2.39.2