From c0b7e2b2bfc2748112607bfe83fc99cf48c97b48 Mon Sep 17 00:00:00 2001
From: Michael Kinney <michael.d.kinney@intel.com>
Date: Wed, 28 Sep 2016 17:33:43 -0700
Subject: [PATCH 1/1] ShellPkg/Hexedit: Fix FreePool() ASSERT() when writing
 disk

The HDiskImageSave() function copies a device path using
DuplicateDevicePath() and passes that device path to
gBS->LocateDevicePath() that changes the value of the
device path pointer.  When FreePool() is called with the
modified device path pointer, the FreePool() service
generates an ASSERT() because the signature for the pool
head can not be found.

The function HDiskImageRead() immediately above
HDiskImageSave() has the correct algorithm that uses an
additional local variable called DupDevicePathForFree to
preserve the pointer to the allocated buffer so it can
be used in the call to FreePool().

Bug: <https://bugzilla.tianocore.org/show_bug.cgi?id=131>

Cc: Jaben Carsey <jaben.carsey@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jaben Carsey <Jaben.carsey@intel.com>
---
 .../Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
index a50b52f5f2..1c93cd8958 100644
--- a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
+++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
@@ -1,7 +1,7 @@
 /** @file
   Functions to deal with Disk buffer.
 
-  Copyright (c) 2005 - 2011, Intel Corporation. All rights reserved. <BR>
+  Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved. <BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -343,6 +343,7 @@ HDiskImageSave (
 
   CONST EFI_DEVICE_PATH_PROTOCOL  *DevicePath;
   EFI_DEVICE_PATH_PROTOCOL        *DupDevicePath;
+  EFI_DEVICE_PATH_PROTOCOL        *DupDevicePathForFree;
   EFI_BLOCK_IO_PROTOCOL           *BlkIo;
   EFI_STATUS                      Status;
   EFI_HANDLE                      Handle;
@@ -364,12 +365,13 @@ HDiskImageSave (
     return EFI_INVALID_PARAMETER;
   }
   DupDevicePath = DuplicateDevicePath(DevicePath);
+  DupDevicePathForFree = DupDevicePath;
 
   //
   // get blkio interface
   //
   Status = gBS->LocateDevicePath(&gEfiBlockIoProtocolGuid,&DupDevicePath,&Handle);
-  FreePool(DupDevicePath);
+  FreePool(DupDevicePathForFree);
   if (EFI_ERROR (Status)) {
 //    StatusBarSetStatusString (L"Read Disk Failed");
     return Status;
-- 
2.39.2