From 469293f8ee406f2b0bad2cf3bbbc510b2a1364eb Mon Sep 17 00:00:00 2001 From: Jian J Wang Date: Wed, 1 Nov 2017 23:18:34 +0800 Subject: MdeModulePkg: Fix misuses of AllocateCopyPool AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" bytes of memory from old "Buffer" to new allocated one. If "AllocationSize" is bigger than size of "Buffer", heap memory overflow occurs during copy. One solution is to allocate pool first then copy the necessary bytes to new memory. Another is using ReallocatePool instead if old buffer will be freed on spot. Cc: Star Zeng Cc: Eric Dong Cc: Bi Dandan Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang Reviewed-by: Star Zeng Reviewed-by: Bi Dandan --- MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'MdeModulePkg/Application/UiApp') diff --git a/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c b/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c index 1505ef9319..17fc3db507 100644 --- a/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c +++ b/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c @@ -639,9 +639,13 @@ UiListThirdPartyDrivers ( Count++; if (Count >= CurrentSize) { - DriverListPtr = AllocateCopyPool ((Count + UI_HII_DRIVER_LIST_SIZE) * sizeof (UI_HII_DRIVER_INSTANCE), gHiiDriverList); + DriverListPtr = ReallocatePool ( + CurrentSize * sizeof (UI_HII_DRIVER_INSTANCE), + (Count + UI_HII_DRIVER_LIST_SIZE) + * sizeof (UI_HII_DRIVER_INSTANCE), + gHiiDriverList + ); ASSERT (DriverListPtr != NULL); - FreePool (gHiiDriverList); gHiiDriverList = DriverListPtr; CurrentSize += UI_HII_DRIVER_LIST_SIZE; } -- cgit v1.2.3