diff options
| author | John Baldwin <jhb@FreeBSD.org> | 2022-10-03 15:47:08 -0700 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2024-09-03 04:09:19 +0000 |
| commit | a859f4fc0397ec4a9d1af016b7e1f03ccf14b605 (patch) | |
| tree | b4bd7e475dd2e6806c48afe4aafd82d9e079e405 /MdePkg | |
| parent | 909849be87a7f931f9fb627522cc664c06987712 (diff) | |
| download | edk2-a859f4fc0397ec4a9d1af016b7e1f03ccf14b605.tar.gz edk2-a859f4fc0397ec4a9d1af016b7e1f03ccf14b605.tar.bz2 edk2-a859f4fc0397ec4a9d1af016b7e1f03ccf14b605.zip | |
MdePkg: Fix a buffer overread.
DevPathToTextUsbWWID allocates a separate copy of the SerialNumber
string to append a null terminator if the original string is not null
terminated. However, by using AllocateCopyPool, it tries to copy
'Length + 1' words from the existing string containing 'Length'
characters into the target string. Split the copy out to only copy
'Length' characters instead.
This was reported by GCC's -Wstringop-overread when compiling a copy
of this routine included in a library on FreeBSD.
Signed-off-by: John Baldwin <jhb@FreeBSD.org>
Diffstat (limited to 'MdePkg')
| -rw-r--r-- | MdePkg/Library/UefiDevicePathLib/DevicePathToText.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/MdePkg/Library/UefiDevicePathLib/DevicePathToText.c b/MdePkg/Library/UefiDevicePathLib/DevicePathToText.c index 468baa5a76..afbd590787 100644 --- a/MdePkg/Library/UefiDevicePathLib/DevicePathToText.c +++ b/MdePkg/Library/UefiDevicePathLib/DevicePathToText.c @@ -1003,8 +1003,9 @@ DevPathToTextUsbWWID ( //
// In case no NULL terminator in SerialNumber, create a new one with NULL terminator
//
- NewStr = AllocateCopyPool ((Length + 1) * sizeof (CHAR16), SerialNumberStr);
+ NewStr = AllocatePool ((Length + 1) * sizeof (CHAR16));
ASSERT (NewStr != NULL);
+ CopyMem (NewStr, SerialNumberStr, Length * sizeof (CHAR16));
NewStr[Length] = 0;
SerialNumberStr = NewStr;
}
|