MdePkg/BasePrintLib: Fix error in Precision position calculation

Due to a potential hole in the stop condition of loop, the two continuous
access to ArgumentString (index, index+1) inside the loop might cause the
string ending character ('\0') and the byte after it to be read.

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Library/BasePrintLib/PrintLibInternal.c
index 28d946472f..fc57255068 100644
--- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c
+++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c
@@ -1107,7 +1107,10 @@ BasePrintLibSPrintMarker (
       // Compute the number of characters in ArgumentString and store it in Count

       // ArgumentString is either null-terminated, or it contains Precision characters

       //

-      for (Count = 0; Count < Precision || ((Flags & PRECISION) == 0); Count++) {

+      for (Count = 0;

+            ArgumentString[Count * BytesPerArgumentCharacter] != '\0' &&

+            (Count < Precision || ((Flags & PRECISION) == 0));

+              Count++) {

         ArgumentCharacter = ((ArgumentString[Count * BytesPerArgumentCharacter] & 0xff) | ((ArgumentString[Count * BytesPerArgumentCharacter + 1]) << 8)) & ArgumentMask;

         if (ArgumentCharacter == 0) {

           break;

@@ -1164,7 +1167,7 @@ BasePrintLibSPrintMarker (
     //

     // Copy the string into the output buffer performing the required type conversions

     //

-    while (Index < Count) {

+    while (Index < Count && (*ArgumentString) != '\0') {

       ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask;

 

       LengthToReturn += (1 * BytesPerOutputCharacter);