sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IntelFrameworkPkg/UefiLib: Avoid mis-calculate of graphic console size

Browse Source 
The commit adds check in function InternalPrintGraphic() to ensure that
the expression:

Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)

will not overflow in the UINTN range.

The commit also adds an explicit UINT32 type cast for 'Blt->Width' to
avoid possible overflow in the int range for:

Blt->Width * Blt->Height

Since both Blt->Width and Blt->Height are of type UINT16. They will be
promoted to int (signed) first, and then perform the multiplication
operation. If the result of multiplication between Blt->Width and
Blt->Height exceeds the range of type int, a potential incorrect size will
be passed into function AllocateZeroPool().

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
(cherry picked from commit 9c0e4db3db)
This commit is contained in:
Hao Wu
2017-03-23 10:45:44 +08:00
parent 591c1bed31
commit 53ae831443
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c
View File

@ -2,7 +2,7 @@
Mde UEFI library API implementation. Mde UEFI library API implementation.
Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE
Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR> Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -474,7 +474,14 @@ InternalPrintGraphic (
} else if (FeaturePcdGet (PcdUgaConsumeSupport)) { } else if (FeaturePcdGet (PcdUgaConsumeSupport)) {
ASSERT (UgaDraw!= NULL); ASSERT (UgaDraw!= NULL);
Blt->Image.Bitmap = AllocateZeroPool (Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); //
// Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow.
//
if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
goto Error;
}
Blt->Image.Bitmap = AllocateZeroPool ((UINT32) Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
ASSERT (Blt->Image.Bitmap != NULL); ASSERT (Blt->Image.Bitmap != NULL);
// //