ShellPkg/map: Fix out-of-bound read when "map fsn"

The below code reads additional one CHAR16 when copying
content from Specific to NewSpecific.
NewSpecific = AllocateCopyPool(
                StrSize(Specific) + sizeof(CHAR16), Specific
                );

The patch fixes this issue.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>

ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c

@@ -1,7 +1,7 @@
 /** @file
   Main file for map shell level 2 command.
 
-  Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2013-2015 Hewlett-Packard Development Company, L.P.<BR>
   (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
   
@@ -222,17 +222,23 @@ MappingListHasType(
 {
   CHAR16              *NewSpecific;
   RETURN_STATUS       Status;
+  UINTN               Length;
   
   //
   // specific has priority
   //
   if (Specific != NULL) {
-    NewSpecific = AllocateCopyPool(StrSize(Specific) + sizeof(CHAR16), Specific);
+    Length      = StrLen (Specific);
+    //
+    // Allocate enough buffer for Specific and potential ":"
+    //
+    NewSpecific = AllocatePool ((Length + 2) * sizeof(CHAR16));
     if (NewSpecific == NULL){
       return FALSE;
     }
-    if (NewSpecific[StrLen(NewSpecific)-1] != L':') {
+    StrCpyS (NewSpecific, Length + 2, Specific);
-      Status = StrnCatS(NewSpecific, (StrSize(Specific) + sizeof(CHAR16))/sizeof(CHAR16), L":", StrLen(L":"));
+    if (Specific[Length - 1] != L':') {
+      Status = StrnCatS(NewSpecific, Length + 2, L":", StrLen(L":"));
       if (EFI_ERROR (Status)) {
         FreePool(NewSpecific);
         return FALSE;