diff options
| author | Hao Wu <hao.a.wu@intel.com> | 2017-05-22 14:49:11 +0800 |
|---|---|---|
| committer | Hao Wu <hao.a.wu@intel.com> | 2017-06-01 08:46:31 +0800 |
| commit | b1d4b9651e1143245eccd99af0e2940635c2058f (patch) | |
| tree | f31f9e91bb32aa82582a88a75ed098c5081b3062 /MdePkg/Library/BasePrintLib | |
| parent | 4fc8277133fb011d028b4e0a42444ab6f552d0b9 (diff) | |
| download | edk2-b1d4b9651e1143245eccd99af0e2940635c2058f.tar.gz edk2-b1d4b9651e1143245eccd99af0e2940635c2058f.tar.bz2 edk2-b1d4b9651e1143245eccd99af0e2940635c2058f.zip | |
MdePkg/BasePrintLib: Avoid reading content beyond the format string
https://bugzilla.tianocore.org/show_bug.cgi?id=567
In function BasePrintLibSPrintMarker(), when processing ASCII format
strings, if the format string walker pointer 'Format' is pointing at the
end of the format string (i.e. '\0'), the following expression:
*(Format + 1)
will read an undefined value.
Though this value won't affect the functionality, since it will be masked
by variable 'FormatMask':
(*(Format + 1) << 8)) & FormatMask
(FormatMask is 0xff for ASCII format string)
This commit adds additional logic to avoid reading undefined content.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Diffstat (limited to 'MdePkg/Library/BasePrintLib')
| -rw-r--r-- | MdePkg/Library/BasePrintLib/PrintLibInternal.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Library/BasePrintLib/PrintLibInternal.c index 9b15a07ac0..cec5b3bc99 100644 --- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c +++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c @@ -653,7 +653,7 @@ BasePrintLibSPrintMarker ( //
// Get the first character from the format string
//
- FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
+ FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
//
// Loop until the end of the format string is reached or the output buffer is full
@@ -685,7 +685,7 @@ BasePrintLibSPrintMarker ( //
for (Done = FALSE; !Done; ) {
Format += BytesPerFormatCharacter;
- FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
+ FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
switch (FormatCharacter) {
case '.':
Flags |= PRECISION;
@@ -738,7 +738,7 @@ BasePrintLibSPrintMarker ( for (Count = 0; ((FormatCharacter >= '0') && (FormatCharacter <= '9')); ){
Count = (Count * 10) + FormatCharacter - '0';
Format += BytesPerFormatCharacter;
- FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
+ FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
}
Format -= BytesPerFormatCharacter;
if ((Flags & PRECISION) == 0) {
@@ -1017,7 +1017,7 @@ BasePrintLibSPrintMarker ( case '\r':
Format += BytesPerFormatCharacter;
- FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
+ FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter == '\n') {
//
// Translate '\r\n' to '\r\n'
@@ -1038,7 +1038,7 @@ BasePrintLibSPrintMarker ( //
ArgumentString = "\r\n";
Format += BytesPerFormatCharacter;
- FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
+ FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter != '\r') {
Format -= BytesPerFormatCharacter;
}
@@ -1057,7 +1057,7 @@ BasePrintLibSPrintMarker ( case '\r':
Format += BytesPerFormatCharacter;
- FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
+ FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter == '\n') {
//
// Translate '\r\n' to '\r\n'
@@ -1078,7 +1078,7 @@ BasePrintLibSPrintMarker ( //
ArgumentString = "\r\n";
Format += BytesPerFormatCharacter;
- FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
+ FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter != '\r') {
Format -= BytesPerFormatCharacter;
}
@@ -1206,7 +1206,7 @@ BasePrintLibSPrintMarker ( //
// Get the next character from the format string
//
- FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
+ FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
}
if ((Flags & COUNT_ONLY_NO_PRINT) != 0) {
|