From 4535fc312b76cb5b05b6a8064c1c64d9780f55ba Mon Sep 17 00:00:00 2001 From: "Vladimir Olovyannikov via groups.io" Date: Wed, 1 Jul 2020 19:31:13 -0700 Subject: MdePkg: UefiFileHandleLib: fix buffer overrun in FileHandleReadLine() If the size of the supplied buffer in FileHandleReadLine(), module UefiFileHandleLib.c, was not 0, but was not enough to fit in the line, the size is increased, and then the Buffer of the new size is zeroed. This size is always larger than the supplied buffer size, causing supplied buffer overrun. Fix the issue by using the supplied buffer size in ZeroMem(). Signed-off-by: Vladimir Olovyannikov Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Message-Id: <20200702023113.10517-1-vladimir.olovyannikov@broadcom.com> Reviewed-by: Zhiguang Liu [lersek@redhat.com: remove stray space character from subject line] --- MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c index 28e28e5f67..ab34e6ccd5 100644 --- a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c +++ b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c @@ -969,6 +969,7 @@ FileHandleReadLine( UINTN CharSize; UINTN CountSoFar; UINTN CrCount; + UINTN OldSize; UINT64 OriginalFilePosition; if (Handle == NULL @@ -1039,10 +1040,11 @@ FileHandleReadLine( // if we ran out of space tell when... // if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){ + OldSize = *Size; *Size = (CountSoFar+1-CrCount)*sizeof(CHAR16); if (!Truncate) { - if (Buffer != NULL && *Size != 0) { - ZeroMem(Buffer, *Size); + if (Buffer != NULL && OldSize != 0) { + ZeroMem(Buffer, OldSize); } FileHandleSetPosition(Handle, OriginalFilePosition); return (EFI_BUFFER_TOO_SMALL); -- cgit v1.2.3