Add more check for the bmp file to avoid access violation.

Signed-off-by: Dong Eric <eric.dong@intel.com> Reviewed-by: Gao Liming <liming.gao@intel.com> Reviewed-by: Zhang Chao <chao.b.zhang@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13185 6f19259b-4bc3-4df7-8a09-765794883524
2012-04-11 07:56:50 +00:00
parent ba46ab9479
commit a46c36572d
4 changed files with 218 additions and 6 deletions
--- a/MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.c
+++ b/MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.c
@ -157,6 +157,8 @@ SetBootLogo (
  IN UINTN                             Height
  )
 {
+  UINT64                        BufferSize;
+
  if (BltBuffer == NULL) {
    mIsLogoValid = FALSE;
    mAcpiBgrtStatusChanged = TRUE;
@ -172,9 +174,24 @@ SetBootLogo (
    FreePool (mLogoBltBuffer);
    mLogoBltBuffer = NULL;
  }
+  
+  //
+  // Ensure the Height * Width doesn't overflow
+  //
+  if (Height > DivU64x64Remainder ((UINTN) ~0, Width, NULL)) {
+    return EFI_UNSUPPORTED;
+  }
+  BufferSize = MultU64x64 (Width, Height);
+  
+  //
+  // Ensure the BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
+  //
+  if (BufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
+    return EFI_UNSUPPORTED;
+  }

  mLogoBltBuffer = AllocateCopyPool (
-                     Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL),
+                     (UINTN)BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL),
                     BltBuffer
                     );
  if (mLogoBltBuffer == NULL) {
@ -330,6 +347,21 @@ InstallBootGraphicsResourceTable (
    // Allocate memory for BMP file.
    //
    PaddingSize = mLogoWidth & 0x3;
+
+    //
+    // First check mLogoWidth * 3 + PaddingSize doesn't overflow
+    //
+    if (mLogoWidth > (((UINT32) ~0) - PaddingSize) / 3 ) {
+      return EFI_UNSUPPORTED;
+    }
+
+    //
+    // Second check (mLogoWidth * 3 + PaddingSize) * mLogoHeight + sizeof (BMP_IMAGE_HEADER) doesn't overflow
+    //
+    if (mLogoHeight > (((UINT32) ~0) - sizeof (BMP_IMAGE_HEADER)) / (mLogoWidth * 3 + PaddingSize)) {
+      return EFI_UNSUPPORTED;
+    }
+    
    BmpSize = (mLogoWidth * 3 + PaddingSize) * mLogoHeight + sizeof (BMP_IMAGE_HEADER);
    ImageBuffer = BgrtAllocateReservedMemoryBelow4G (BmpSize);
    if (ImageBuffer == NULL) {