From 4a75bfb5a016ed51082b05103e4f0bd00b335b8b Mon Sep 17 00:00:00 2001 From: Dandan Bi Date: Wed, 12 Apr 2017 11:21:52 +0800 Subject: [PATCH] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication An example: The codes in function Output8bitPixel in Image.c: OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); Both Image->Width and Ypos are of type UINT16. They will be promoted to int (signed) first, and then perform the multiplication defined by macro BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width and Ypos exceeds the range of type int, a potential incorrect results will be assigned to OffsetY. This commit adds explicit UINT32 type cast for 'Image->Width' to avoid possible overflow in the int range. And also fix similar issues in HiiDatabase. Cc: Eric Dong Cc: Liming Gao Cc: Hao Wu Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi Reviewed-by: Hao Wu (cherry picked from commit f76bc44362e5f0a2ea509c07b2f6846bd9833ee8) --- MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c index e2fa16e6e0..431a5b8454 100644 --- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c @@ -105,7 +105,7 @@ GetImageIdOrAddress ( case EFI_HII_IIBT_IMAGE_8BIT_TRANS: Length = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) + BITMAP_LEN_8_BIT ( - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height) ); ImageIdCurrent++; @@ -115,7 +115,7 @@ GetImageIdOrAddress ( case EFI_HII_IIBT_IMAGE_24BIT_TRANS: Length = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) + BITMAP_LEN_24_BIT ( - ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), + (UINT32) ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height) ); ImageIdCurrent++; @@ -453,7 +453,7 @@ Output8bitPixel ( // Convert the pixel from 8 bits to corresponding color. // for (Ypos = 0; Ypos < Image->Height; Ypos++) { - OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos); + OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); // // All bits are meaningful since the bitmap is 8 bits per pixel. // @@ -493,7 +493,7 @@ Output24bitPixel ( BitMapPtr = Image->Bitmap; for (Ypos = 0; Ypos < Image->Height; Ypos++) { - OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos); + OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); CopyRgbToGopPixel (&BitMapPtr[OffsetY], &Data[OffsetY], Image->Width); } @@ -650,7 +650,7 @@ HiiNewImage ( } NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) + - BITMAP_LEN_24_BIT (Image->Width, Image->Height); + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height); // // Get the image package in the package list, @@ -753,7 +753,7 @@ HiiNewImage ( } WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bitmap.Width, Image->Width); WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bitmap.Height, Image->Height); - CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bitmap.Bitmap, Image->Bitmap, Image->Width * Image->Height); + CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bitmap.Bitmap, Image->Bitmap, (UINT32) Image->Width * Image->Height); // // Append the block end @@ -896,7 +896,7 @@ IGetImage ( // CopyMem (&Iibt1bit, CurrentImageBlock, sizeof (EFI_HII_IIBT_IMAGE_1BIT_BLOCK)); ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * - (Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height); + ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height); Image->Bitmap = AllocateZeroPool (ImageLength); if (Image->Bitmap == NULL) { return EFI_OUT_OF_RESOURCES; @@ -947,7 +947,7 @@ IGetImage ( case EFI_HII_IIBT_IMAGE_24BIT: Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width); Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height); - ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * (Width * Height); + ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Width * Height); Image->Bitmap = AllocateZeroPool (ImageLength); if (Image->Bitmap == NULL) { return EFI_OUT_OF_RESOURCES; @@ -1095,7 +1095,7 @@ HiiSetImage ( case EFI_HII_IIBT_IMAGE_8BIT_TRANS: OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) + BITMAP_LEN_8_BIT ( - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height) ); break; @@ -1103,7 +1103,7 @@ HiiSetImage ( case EFI_HII_IIBT_IMAGE_24BIT_TRANS: OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) + BITMAP_LEN_24_BIT ( - ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), + (UINT32) ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height) ); break; @@ -1115,7 +1115,7 @@ HiiSetImage ( // Create the new image block according to input image. // NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) + - BITMAP_LEN_24_BIT (Image->Width, Image->Height); + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height); // // Adjust the image package to remove the original block firstly then add the new block. // @@ -1140,7 +1140,7 @@ HiiSetImage ( WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImageBlock)->Bitmap.Width, Image->Width); WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImageBlock)->Bitmap.Height, Image->Height); CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImageBlock)->Bitmap.Bitmap, - Image->Bitmap, Image->Width * Image->Height); + Image->Bitmap, (UINT32) Image->Width * Image->Height); CopyMem ((UINT8 *) NewImageBlock + NewBlockSize, (UINT8 *) CurrentImageBlock + OldBlockSize, Part2Size);