sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add more check for the bmp file to avoid access violation.

Browse Source 
Signed-off-by: Dong Eric <eric.dong@intel.com>
Reviewed-by: Gao Liming <liming.gao@intel.com>
Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13185 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
ydong10
2012-04-11 07:56:50 +00:00
parent ba46ab9479
commit a46c36572d
4 changed files with 218 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c
View File

@ -601,7 +601,13 @@ ConvertBmpToGopBlt (
UINTN Height;
UINTN Width;
UINTN ImageIndex;
UINT32 DataSizePerLine;
BOOLEAN IsAllocated;
UINT32 ColorMapNum;
if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {
return EFI_INVALID_PARAMETER;
}
BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;
@ -616,11 +622,57 @@ ConvertBmpToGopBlt (
return EFI_UNSUPPORTED;
}
//
// Only support BITMAPINFOHEADER format.
// BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER
//
if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - OFFSET_OF(BMP_IMAGE_HEADER, HeaderSize)) {
return EFI_UNSUPPORTED;
}
//
// The data size in each line must be 4 byte alignment.
//
DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);
BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);
if (BltBufferSize > (UINT32) ~0) {
return EFI_INVALID_PARAMETER;
}
if ((BmpHeader->Size != BmpImageSize) ||
(BmpHeader->Size < BmpHeader->ImageOffset) ||
(BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {
return EFI_INVALID_PARAMETER;
}
//
// Calculate Color Map offset in the image.
//
Image = BmpImage;
BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));
if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {
switch (BmpHeader->BitPerPixel) {
case 1:
ColorMapNum = 2;
break;
case 4:
ColorMapNum = 16;
break;
case 8:
ColorMapNum = 256;
break;
default:
ColorMapNum = 0;
break;
}
if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) != sizeof (BMP_COLOR_MAP) * ColorMapNum) {
return EFI_INVALID_PARAMETER;
}
}
//
// Calculate graphics image data address in the image
@ -636,8 +688,8 @@ ConvertBmpToGopBlt (
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
//
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
return EFI_UNSUPPORTED;
}
return EFI_UNSUPPORTED;
}
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
IsAllocated = FALSE;
@ -798,6 +850,7 @@ EnableQuietBoot (
UINTN NewDestY;
UINTN NewHeight;
UINTN NewWidth;
UINT64 BufferSize;
UgaDraw = NULL;
//
@ -1082,7 +1135,22 @@ Done:
FreePool (Blt);
}
LogoBlt = AllocateZeroPool (LogoWidth * LogoHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
//
// Ensure the LogoHeight * LogoWidth doesn't overflow
//
if (LogoHeight > DivU64x64Remainder ((UINTN) ~0, LogoWidth, NULL)) {
return EFI_UNSUPPORTED;
}
BufferSize = MultU64x64 (LogoWidth, LogoHeight);
//
// Ensure the BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
//
if (BufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
return EFI_UNSUPPORTED;
}
LogoBlt = AllocateZeroPool ((UINTN)BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
if (LogoBlt == NULL) {
return EFI_OUT_OF_RESOURCES;
}