summaryrefslogtreecommitdiffstats
path: root/MdeModulePkg/Universal/HiiDatabaseDxe
diff options
context:
space:
mode:
authorDandan Bi <dandan.bi@intel.com>2019-02-22 15:45:24 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2020-02-14 08:18:47 +0000
commit764e8ba1389a617639d79d2c4f0d53f4ea4a7387 (patch)
treee1da8aad58d7f666ac8607c004b45f43d7ae6fe0 /MdeModulePkg/Universal/HiiDatabaseDxe
parentc32be82e99ef272e7fa742c2f06ff9a4c3756613 (diff)
downloadedk2-764e8ba1389a617639d79d2c4f0d53f4ea4a7387.tar.gz
edk2-764e8ba1389a617639d79d2c4f0d53f4ea4a7387.tar.bz2
edk2-764e8ba1389a617639d79d2c4f0d53f4ea4a7387.zip
MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611 Cc: Liming Gao <liming.gao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Diffstat (limited to 'MdeModulePkg/Universal/HiiDatabaseDxe')
-rw-r--r--MdeModulePkg/Universal/HiiDatabaseDxe/String.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
index 505e063d49..2c7ecfea40 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
@@ -2,7 +2,7 @@
Implementation for EFI_HII_STRING_PROTOCOL.
-Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2020, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -1006,6 +1006,7 @@ SetStringWorker (
TmpSize
);
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);
@@ -1039,6 +1040,7 @@ SetStringWorker (
OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize
);
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);
@@ -1090,6 +1092,7 @@ SetStringWorker (
CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize);
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += Ext2.Length;
@@ -1275,6 +1278,7 @@ HiiNewString (
// Append a EFI_HII_SIBT_END block to the end.
//
*BlockPtr = EFI_HII_SIBT_END;
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
@@ -1406,6 +1410,7 @@ HiiNewString (
// Append a EFI_HII_SIBT_END block to the end.
//
*BlockPtr = EFI_HII_SIBT_END;
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
@@ -1448,6 +1453,7 @@ HiiNewString (
// Append a EFI_HII_SIBT_END block to the end.
//
*BlockPtr = EFI_HII_SIBT_END;
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize;
@@ -1509,6 +1515,7 @@ HiiNewString (
// Append a EFI_HII_SIBT_END block to the end.
//
*BlockPtr = EFI_HII_SIBT_END;
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 18:20:40 +0000