From f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d Mon Sep 17 00:00:00 2001
From: Dandan Bi <dandan.bi@intel.com>
Date: Mon, 6 May 2019 16:43:34 +0800
Subject: MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611

Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
---
 MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
index 7d9486112b..e7306f6d04 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
@@ -2,7 +2,7 @@
 Implementation for handling the User Interface option processing.
 
 
-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -823,6 +823,7 @@ PasswordProcess (
     //
     Status = ReadString (MenuOption, gPromptForPassword, StringPtr);
     if (EFI_ERROR (Status)) {
+      ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
       FreePool (StringPtr);
       return Status;
     }
@@ -840,7 +841,7 @@ PasswordProcess (
       } else {
         Status = EFI_SUCCESS;
       }
-
+      ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
       FreePool (StringPtr);
       return Status;
     }
@@ -856,6 +857,7 @@ PasswordProcess (
     // Reset state machine for password
     //
     Question->PasswordCheck (gFormData, Question, NULL);
+    ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
     FreePool (StringPtr);
     return Status;
   }
@@ -871,6 +873,8 @@ PasswordProcess (
     // Reset state machine for password
     //
     Question->PasswordCheck (gFormData, Question, NULL);
+    ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
+    ZeroMem (TempString, (Maximum + 1) * sizeof (CHAR16));
     FreePool (StringPtr);
     FreePool (TempString);
     return Status;
-- 
cgit v1.2.3