MdeModulePkg: Fix misuses of AllocateCopyPool

AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" bytes of
memory from old "Buffer" to new allocated one. If "AllocationSize" is bigger
than size of "Buffer", heap memory overflow occurs during copy.

One solution is to allocate pool first then copy the necessary bytes to new
memory. Another is using ReallocatePool instead if old buffer will be freed
on spot.

Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c b/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c
index 1505ef9319..17fc3db507 100644
--- a/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c
+++ b/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c
@@ -639,9 +639,13 @@ UiListThirdPartyDrivers (
 

     Count++;

     if (Count >= CurrentSize) {

-      DriverListPtr = AllocateCopyPool ((Count + UI_HII_DRIVER_LIST_SIZE) * sizeof (UI_HII_DRIVER_INSTANCE), gHiiDriverList);

+      DriverListPtr = ReallocatePool (

+                        CurrentSize * sizeof (UI_HII_DRIVER_INSTANCE),

+                        (Count + UI_HII_DRIVER_LIST_SIZE)

+                          * sizeof (UI_HII_DRIVER_INSTANCE),

+                        gHiiDriverList

+                        );

       ASSERT (DriverListPtr != NULL);

-      FreePool (gHiiDriverList);

       gHiiDriverList = DriverListPtr;

       CurrentSize += UI_HII_DRIVER_LIST_SIZE;

     }