Add check to make sure the data be valid.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Zeng, Star <star.zeng@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15393 6f19259b-4bc3-4df7-8a09-765794883524

MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c

@@ -1,7 +1,7 @@
 /** @file
   Implementation of the shared functions to do the platform driver vverride mapping.
 
-  Copyright (c) 2007 - 2009, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -691,12 +691,17 @@ InitOverridesMapping (
   //
   VariableNum = 1;
   Corrupted = FALSE;
+  NotEnd = 0;
   do {
     VariableIndex = VariableBuffer;
-    //
-    // End flag
-    //
-    NotEnd = *(UINT32*) VariableIndex;
+    if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer + BufferSize) {
+      Corrupted = TRUE;
+    } else {
+      //
+      // End flag
+      //
+      NotEnd = *(UINT32*) VariableIndex;
+    }
     //
     // Traverse the entries containing the mapping that Controller Device Path
     // to a set of Driver Device Paths within this variable.
@@ -706,6 +711,10 @@ InitOverridesMapping (
       //
       // Check signature of this entry
       //
+      if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer + BufferSize) {
+        Corrupted = TRUE;
+        break;
+      }
       Signature = *(UINT32 *) VariableIndex;
       if (Signature != PLATFORM_OVERRIDE_ITEM_SIGNATURE) {
         Corrupted = TRUE;
@@ -722,6 +731,10 @@ InitOverridesMapping (
       //
       // Get DriverNum
       //
+      if (VariableIndex + sizeof (UINT32) >= (UINT8 *) VariableBuffer + BufferSize) {
+        Corrupted = TRUE;
+        break;
+      }
       DriverNumber = *(UINT32*) VariableIndex;
       OverrideItem->DriverInfoNum = DriverNumber;
       VariableIndex = VariableIndex + sizeof (UINT32);
@@ -735,6 +748,14 @@ InitOverridesMapping (
       // Align the VariableIndex since the controller device path may not be aligned, refer to the SaveOverridesMapping()
       //
       VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1));
+      //
+      // Check buffer overflow.
+      //
+      if ((OverrideItem->ControllerDevicePath == NULL) || (VariableIndex < (UINT8 *) ControllerDevicePath) || 
+          (VariableIndex > (UINT8 *) VariableBuffer + BufferSize)) {
+        Corrupted = TRUE;
+        break;
+      }
 
       //
       // Get all DriverImageDevicePath[]
@@ -756,8 +777,20 @@ InitOverridesMapping (
         VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1));
 
         InsertTailList (&OverrideItem->DriverInfoList, &DriverImageInfo->Link);
+
+        //
+        // Check buffer overflow
+        //
+        if ((DriverImageInfo->DriverImagePath == NULL) || (VariableIndex < (UINT8 *) DriverDevicePath) || 
+            (VariableIndex < (UINT8 *) VariableBuffer + BufferSize)) {
+          Corrupted = TRUE;
+          break;
+        }
       }
       InsertTailList (MappingDataBase, &OverrideItem->Link);
+      if (Corrupted) {
+        break;
+      }
     }
 
     FreePool (VariableBuffer);
@@ -866,11 +899,11 @@ DeleteOverridesVariables (
   //
   // Check NotEnd to get all PlatDriOverX variable(s)
   //
-  while ((*(UINT32*)VariableBuffer) != 0) {
+  while ((VariableBuffer != NULL) && ((*(UINT32*)VariableBuffer) != 0)) {
+    FreePool (VariableBuffer);
     UnicodeSPrint (OverrideVariableName, sizeof (OverrideVariableName), L"PlatDriOver%d", VariableNum);
     VariableBuffer = GetVariableAndSize (OverrideVariableName, &gEfiCallerIdGuid, &BufferSize);
     VariableNum++;
-    ASSERT (VariableBuffer != NULL);
   }
 
   //
@@ -1057,10 +1090,19 @@ SaveOverridesMapping (
                     VariableNeededSize,
                     VariableBuffer
                     );
-    ASSERT (!EFI_ERROR(Status));
+    FreePool (VariableBuffer);
+
+    if (EFI_ERROR (Status)) {
+      if (NumIndex > 0) {
+        //
+        // Delete all PlatDriOver variables when full mapping can't be set.  
+        //
+        DeleteOverridesVariables ();
+      }
+      return Status;
+    }
 
     NumIndex ++;
-    FreePool (VariableBuffer);
   }
 
   return EFI_SUCCESS;