diff options
| author | Hao Wu <hao.a.wu@intel.com> | 2017-03-23 10:45:44 +0800 |
|---|---|---|
| committer | Hao Wu <hao.a.wu@intel.com> | 2017-04-14 13:25:01 +0800 |
| commit | 53ae8314438b49c426d45f5208cd5c9e05cf60f7 (patch) | |
| tree | 704dd5aaf25915c24181a31b49a06e275aefea3c | |
| parent | 591c1bed314a98f343c9392cc8c77a7c08e8c9f0 (diff) | |
| download | edk2-53ae8314438b49c426d45f5208cd5c9e05cf60f7.tar.gz edk2-53ae8314438b49c426d45f5208cd5c9e05cf60f7.tar.bz2 edk2-53ae8314438b49c426d45f5208cd5c9e05cf60f7.zip | |
IntelFrameworkPkg/UefiLib: Avoid mis-calculate of graphic console size
The commit adds check in function InternalPrintGraphic() to ensure that
the expression:
Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)
will not overflow in the UINTN range.
The commit also adds an explicit UINT32 type cast for 'Blt->Width' to
avoid possible overflow in the int range for:
Blt->Width * Blt->Height
Since both Blt->Width and Blt->Height are of type UINT16. They will be
promoted to int (signed) first, and then perform the multiplication
operation. If the result of multiplication between Blt->Width and
Blt->Height exceeds the range of type int, a potential incorrect size will
be passed into function AllocateZeroPool().
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
(cherry picked from commit 9c0e4db3db8d102812ca57f6225290c7ba079ad8)
| -rw-r--r-- | IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c index f0dcf9fb25..6f06efbe05 100644 --- a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c +++ b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c @@ -2,7 +2,7 @@ Mde UEFI library API implementation.
Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE
- Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -474,7 +474,14 @@ InternalPrintGraphic ( } else if (FeaturePcdGet (PcdUgaConsumeSupport)) {
ASSERT (UgaDraw!= NULL);
- Blt->Image.Bitmap = AllocateZeroPool (Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
+ //
+ // Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow.
+ //
+ if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
+ goto Error;
+ }
+
+ Blt->Image.Bitmap = AllocateZeroPool ((UINT32) Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
ASSERT (Blt->Image.Bitmap != NULL);
//
|