From 6805854a736b0e0192fb4863da4db4295345c87b Mon Sep 17 00:00:00 2001 From: Jian J Wang Date: Mon, 25 Dec 2017 10:07:39 +0800 Subject: MdePkg/BasePrintLib: Fix error in Precision position calculation Due to a potential hole in the stop condition of loop, the two continuous access to ArgumentString (index, index+1) inside the loop might cause the string ending character ('\0') and the byte after it to be read. Cc: Michael D Kinney Cc: Liming Gao Cc: Jiewen Yao Cc: Star Zeng Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang Reviewed-by: Liming Gao --- MdePkg/Library/BasePrintLib/PrintLibInternal.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Library/BasePrintLib/PrintLibInternal.c index 28d946472f..fc57255068 100644 --- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c +++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c @@ -1107,7 +1107,10 @@ BasePrintLibSPrintMarker ( // Compute the number of characters in ArgumentString and store it in Count // ArgumentString is either null-terminated, or it contains Precision characters // - for (Count = 0; Count < Precision || ((Flags & PRECISION) == 0); Count++) { + for (Count = 0; + ArgumentString[Count * BytesPerArgumentCharacter] != '\0' && + (Count < Precision || ((Flags & PRECISION) == 0)); + Count++) { ArgumentCharacter = ((ArgumentString[Count * BytesPerArgumentCharacter] & 0xff) | ((ArgumentString[Count * BytesPerArgumentCharacter + 1]) << 8)) & ArgumentMask; if (ArgumentCharacter == 0) { break; @@ -1164,7 +1167,7 @@ BasePrintLibSPrintMarker ( // // Copy the string into the output buffer performing the required type conversions // - while (Index < Count) { + while (Index < Count && (*ArgumentString) != '\0') { ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask; LengthToReturn += (1 * BytesPerOutputCharacter); -- cgit v1.2.3