diff options
| author | Hao Wu <hao.a.wu@intel.com> | 2017-12-13 14:39:07 +0800 |
|---|---|---|
| committer | Hao Wu <hao.a.wu@intel.com> | 2018-10-23 14:23:35 +0800 |
| commit | 89f75aa04a97293a8ed9db2a90851a5053730cf5 (patch) | |
| tree | 822702d88269a3b46febe066e368243cc85828c4 /MdeModulePkg | |
| parent | 5c0748f43f4e1cc15fdd0be64a764eacd7df92f6 (diff) | |
| download | edk2-89f75aa04a97293a8ed9db2a90851a5053730cf5.tar.gz edk2-89f75aa04a97293a8ed9db2a90851a5053730cf5.tar.bz2 edk2-89f75aa04a97293a8ed9db2a90851a5053730cf5.zip | |
MdeModulePkg/UdfDxe: Add boundary check for ComponentIdentifier decode
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
Within ResolveSymlink():
The boundary check will validate the 'LengthofComponentIdentifier' field
of a Path Component matches the data within the relating (Extended) File
Entry.
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
Diffstat (limited to 'MdeModulePkg')
| -rw-r--r-- | MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index c7d9ad498c..359fac0adf 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -2219,6 +2219,10 @@ ResolveSymlink ( return EFI_VOLUME_CORRUPTED;
}
+ if ((UINTN)PathComp->ComponentIdentifier + PathCompLength > (UINTN)EndData) {
+ return EFI_VOLUME_CORRUPTED;
+ }
+
Char = FileName;
for (Index = 1; Index < PathCompLength; Index++) {
if (CompressionId == 16) {
|