sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MdePkg/BasePrintLib: Avoid reading content beyond the format string

Browse Source 
https://bugzilla.tianocore.org/show_bug.cgi?id=567

In function BasePrintLibSPrintMarker(), when processing ASCII format
strings, if the format string walker pointer 'Format' is pointing at the
end of the format string (i.e. '\0'), the following expression:
*(Format + 1)
will read an undefined value.

Though this value won't affect the functionality, since it will be masked
by variable 'FormatMask':
(*(Format + 1) << 8)) & FormatMask
(FormatMask is 0xff for ASCII format string)

This commit adds additional logic to avoid reading undefined content.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
This commit is contained in:
Hao Wu 2017-05-22 14:49:11 +08:00
parent 4fc8277133
commit b1d4b9651e
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
MdePkg/Library/BasePrintLib/PrintLibInternal.c
View File

@ -653,7 +653,7 @@ BasePrintLibSPrintMarker (
// //
// Get the first character from the format string // Get the first character from the format string
// //
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
// //
// Loop until the end of the format string is reached or the output buffer is full // Loop until the end of the format string is reached or the output buffer is full
@ -685,7 +685,7 @@ BasePrintLibSPrintMarker (
// //
for (Done = FALSE; !Done; ) { for (Done = FALSE; !Done; ) {
Format += BytesPerFormatCharacter; Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
switch (FormatCharacter) { switch (FormatCharacter) {
case '.': case '.':
Flags |= PRECISION; Flags |= PRECISION;
@ -738,7 +738,7 @@ BasePrintLibSPrintMarker (
for (Count = 0; ((FormatCharacter >= '0') && (FormatCharacter <= '9')); ){ for (Count = 0; ((FormatCharacter >= '0') && (FormatCharacter <= '9')); ){
Count = (Count * 10) + FormatCharacter - '0'; Count = (Count * 10) + FormatCharacter - '0';
Format += BytesPerFormatCharacter; Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
} }
Format -= BytesPerFormatCharacter; Format -= BytesPerFormatCharacter;
if ((Flags & PRECISION) == 0) { if ((Flags & PRECISION) == 0) {
@ -1017,7 +1017,7 @@ BasePrintLibSPrintMarker (
case '\r': case '\r':
Format += BytesPerFormatCharacter; Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter == '\n') { if (FormatCharacter == '\n') {
// //
// Translate '\r\n' to '\r\n' // Translate '\r\n' to '\r\n'
@ -1038,7 +1038,7 @@ BasePrintLibSPrintMarker (
// //
ArgumentString = "\r\n"; ArgumentString = "\r\n";
Format += BytesPerFormatCharacter; Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter != '\r') { if (FormatCharacter != '\r') {
Format -= BytesPerFormatCharacter; Format -= BytesPerFormatCharacter;
} }
@ -1057,7 +1057,7 @@ BasePrintLibSPrintMarker (
case '\r': case '\r':
Format += BytesPerFormatCharacter; Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter == '\n') { if (FormatCharacter == '\n') {
// //
// Translate '\r\n' to '\r\n' // Translate '\r\n' to '\r\n'
@ -1078,7 +1078,7 @@ BasePrintLibSPrintMarker (
// //
ArgumentString = "\r\n"; ArgumentString = "\r\n";
Format += BytesPerFormatCharacter; Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter != '\r') { if (FormatCharacter != '\r') {
Format -= BytesPerFormatCharacter; Format -= BytesPerFormatCharacter;
} }
@ -1206,7 +1206,7 @@ BasePrintLibSPrintMarker (
// //
// Get the next character from the format string // Get the next character from the format string
// //
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
} }
if ((Flags & COUNT_ONLY_NO_PRINT) != 0) { if ((Flags & COUNT_ONLY_NO_PRINT) != 0) {