MdeModulePkg/DxeCapsuleLibFmp: Add more check for the UX capsule

Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
author: Ruiyu Ni <ruiyu.ni@intel.com> 2018-03-16 15:04:05 +0800
committer: Ruiyu Ni <ruiyu.ni@intel.com> 2018-03-16 17:34:42 +0800
commit: d0976b9accedfd1f45fe2f81c59351ed17f34aa0 (patch)
tree: 094f7932837185d4024acc3883f2519549088e7e /MdeModulePkg/Library/DxeCapsuleLibFmp
parent: a2f32ef6ff173ef276a661520196fb04bbaec3f9 (diff)
download: edk2-d0976b9accedfd1f45fe2f81c59351ed17f34aa0.tar.gz
edk2-d0976b9accedfd1f45fe2f81c59351ed17f34aa0.tar.bz2
edk2-d0976b9accedfd1f45fe2f81c59351ed17f34aa0.zip
1 files changed, 19 insertions, 2 deletions
diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
index 15dbc00216..555c5971d0 100644
--- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
+++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
@@ -330,8 +330,25 @@ DisplayCapsuleImage (
   UINTN                         Width;
   EFI_GRAPHICS_OUTPUT_PROTOCOL  *GraphicsOutput;
 
-  ImagePayload = (DISPLAY_DISPLAY_PAYLOAD *)(CapsuleHeader + 1);
-  PayloadSize = CapsuleHeader->CapsuleImageSize - sizeof(EFI_CAPSULE_HEADER);
+  //
+  // UX capsule doesn't have extended header entries.
+  //
+  if (CapsuleHeader->HeaderSize != sizeof (EFI_CAPSULE_HEADER)) {
+    return EFI_UNSUPPORTED;
+  }
+  ImagePayload = (DISPLAY_DISPLAY_PAYLOAD *)((UINTN) CapsuleHeader + CapsuleHeader->HeaderSize);
+  //
+  // (CapsuleImageSize > HeaderSize) is guaranteed by IsValidCapsuleHeader().
+  //
+  PayloadSize = CapsuleHeader->CapsuleImageSize - CapsuleHeader->HeaderSize;
+
+  //
+  // Make sure the image payload at least contain the DISPLAY_DISPLAY_PAYLOAD header.
+  // Further size check is performed by the logic translating BMP to GOP BLT.
+  //
+  if (PayloadSize <= sizeof (DISPLAY_DISPLAY_PAYLOAD)) {
+    return EFI_INVALID_PARAMETER;
+  }
 
   if (ImagePayload->Version != 1) {
     return EFI_UNSUPPORTED;
author	Ruiyu Ni <ruiyu.ni@intel.com>	2018-03-16 15:04:05 +0800
committer	Ruiyu Ni <ruiyu.ni@intel.com>	2018-03-16 17:34:42 +0800
commit	d0976b9accedfd1f45fe2f81c59351ed17f34aa0 (patch)
tree	094f7932837185d4024acc3883f2519549088e7e /MdeModulePkg/Library/DxeCapsuleLibFmp
parent	a2f32ef6ff173ef276a661520196fb04bbaec3f9 (diff)
download	edk2-d0976b9accedfd1f45fe2f81c59351ed17f34aa0.tar.gz edk2-d0976b9accedfd1f45fe2f81c59351ed17f34aa0.tar.bz2 edk2-d0976b9accedfd1f45fe2f81c59351ed17f34aa0.zip