MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance

https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport 21ef3a321c ca516b1a61 33bab4031a Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-24 16:37:20 -07:00
parent 11cf02f6d0
commit d7a09cb86a
15 changed files with 8915 additions and 9 deletions
--- a/MdePkg/Include/Ebc/ProcessorBind.h
+++ b/MdePkg/Include/Ebc/ProcessorBind.h
@@ -4,7 +4,7 @@
  We currently only have one EBC compiler so there may be some Intel compiler
  specific functions in this file.

-Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials are licensed and made available under 
 the terms and conditions of the BSD License that accompanies this distribution.  
 The full text of the license may be found at
@@ -91,23 +91,28 @@ typedef unsigned long         UINTN;
 /// A value of native width with the highest bit set.
 /// Scalable macro to set the most significant bit in a natural number.
 ///
-#define MAX_BIT     (1ULL << (sizeof (INTN) * 8 - 1)) 
+#define MAX_BIT     ((UINTN)((1ULL << (sizeof (INTN) * 8 - 1))))
 ///
 /// A value of native width with the two highest bits set.
 /// Scalable macro to set the most 2 significant bits in a natural number.
 ///
-#define MAX_2_BITS  (3ULL << (sizeof (INTN) * 8 - 2))
+#define MAX_2_BITS  ((UINTN)(3ULL << (sizeof (INTN) * 8 - 2)))

 ///
 /// Maximum legal EBC address
 ///
-#define MAX_ADDRESS   ((UINTN) ~0)
+#define MAX_ADDRESS   ((UINTN)(~0ULL >> (64 - sizeof (INTN) * 8)))

 ///
 /// Maximum legal EBC INTN and UINTN values.
 ///
-#define MAX_UINTN  ((UINTN) ~0)
-#define MAX_INTN   ((INTN)~MAX_BIT)
+#define MAX_UINTN  ((UINTN)(~0ULL >> (64 - sizeof (INTN) * 8)))
+#define MAX_INTN   ((INTN)(~0ULL >> (65 - sizeof (INTN) * 8)))
+
+///
+/// Minimum legal EBC INTN value.
+///
+#define MIN_INTN   (((INTN)-MAX_INTN) - 1)

 ///
 /// The stack alignment required for EBC