From nobody Mon Apr 29 01:26:23 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1491980961209560.7911019988627; Wed, 12 Apr 2017 00:09:21 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 447F921DFA7AF; Wed, 12 Apr 2017 00:09:19 -0700 (PDT) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6D407207E57E0 for ; Wed, 12 Apr 2017 00:09:18 -0700 (PDT) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Apr 2017 00:09:18 -0700 Received: from shwdeopenpsi114.ccr.corp.intel.com ([10.239.157.135]) by fmsmga001.fm.intel.com with ESMTP; 12 Apr 2017 00:09:16 -0700 X-Original-To: edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,189,1488873600"; d="scan'208";a="1134311164" From: Dandan Bi To: edk2-devel@lists.01.org Date: Wed, 12 Apr 2017 15:08:51 +0800 Message-Id: <1491980931-115060-1-git-send-email-dandan.bi@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 Subject: [edk2] [patch] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Eric Dong , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" An example: The codes in function Output8bitPixel in Image.c: OffsetY =3D BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); Both Image->Width and Ypos are of type UINT16. They will be promoted to int (signed) first, and then perform the multiplication defined by macro BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width and Ypos exceeds the range of type int, a potential incorrect results will be assigned to OffsetY. This commit adds explicit UINT32 type cast for 'Image->Width' to avoid possible overflow in the int range. And also fix similar issues in HiiDatabase. Cc: Eric Dong Cc: Liming Gao Cc: Hao Wu Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi Reviewed-by: Hao Wu --- MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/U= niversal/HiiDatabaseDxe/Image.c index e2fa16e..431a5b8 100644 --- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c @@ -103,21 +103,21 @@ GetImageIdOrAddress ( =20 case EFI_HII_IIBT_IMAGE_8BIT: case EFI_HII_IIBT_IMAGE_8BIT_TRANS: Length =3D sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) + BITMAP_LEN_8_BIT ( - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) Curr= entImageBlock)->Bitmap.Width), + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOC= K *) CurrentImageBlock)->Bitmap.Width), ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) Curr= entImageBlock)->Bitmap.Height) ); ImageIdCurrent++; break; =20 case EFI_HII_IIBT_IMAGE_24BIT: case EFI_HII_IIBT_IMAGE_24BIT_TRANS: Length =3D sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII= _RGB_PIXEL) + BITMAP_LEN_24_BIT ( - ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLO= CK *) CurrentImageBlock)->Bitmap.Width), + (UINT32) ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_= 24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLO= CK *) CurrentImageBlock)->Bitmap.Height) ); ImageIdCurrent++; break; =20 @@ -451,11 +451,11 @@ Output8bitPixel ( =20 // // Convert the pixel from 8 bits to corresponding color. // for (Ypos =3D 0; Ypos < Image->Height; Ypos++) { - OffsetY =3D BITMAP_LEN_8_BIT (Image->Width, Ypos); + OffsetY =3D BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); // // All bits are meaningful since the bitmap is 8 bits per pixel. // for (Xpos =3D 0; Xpos < Image->Width; Xpos++) { Byte =3D *(Data + OffsetY + Xpos); @@ -491,11 +491,11 @@ Output24bitPixel ( ASSERT (Image !=3D NULL && Data !=3D NULL); =20 BitMapPtr =3D Image->Bitmap; =20 for (Ypos =3D 0; Ypos < Image->Height; Ypos++) { - OffsetY =3D BITMAP_LEN_8_BIT (Image->Width, Ypos); + OffsetY =3D BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); CopyRgbToGopPixel (&BitMapPtr[OffsetY], &Data[OffsetY], Image->Width); } =20 } =20 @@ -648,11 +648,11 @@ HiiNewImage ( if (PackageListNode =3D=3D NULL) { return EFI_NOT_FOUND; } =20 NewBlockSize =3D sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_H= II_RGB_PIXEL) + - BITMAP_LEN_24_BIT (Image->Width, Image->Height); + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height); =20 // // Get the image package in the package list, // or create a new image package if image package does not exist. // @@ -751,11 +751,11 @@ HiiNewImage ( } else { ImageBlocks->BlockType =3D EFI_HII_IIBT_IMAGE_24BIT; } WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlo= cks)->Bitmap.Width, Image->Width); WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlo= cks)->Bitmap.Height, Image->Height); - CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bit= map.Bitmap, Image->Bitmap, Image->Width * Image->Height); + CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bit= map.Bitmap, Image->Bitmap, (UINT32) Image->Width * Image->Height); =20 // // Append the block end // ImageBlocks =3D (EFI_HII_IMAGE_BLOCK *) ((UINT8 *) ImageBlocks + NewBloc= kSize); @@ -894,11 +894,11 @@ IGetImage ( // // Use the common block code since the definition of these structures = is the same. // CopyMem (&Iibt1bit, CurrentImageBlock, sizeof (EFI_HII_IIBT_IMAGE_1BIT= _BLOCK)); ImageLength =3D sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * - (Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height); + ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height= ); Image->Bitmap =3D AllocateZeroPool (ImageLength); if (Image->Bitmap =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 @@ -945,11 +945,11 @@ IGetImage ( // fall through // case EFI_HII_IIBT_IMAGE_24BIT: Width =3D ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK = *) CurrentImageBlock)->Bitmap.Width); Height =3D ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK= *) CurrentImageBlock)->Bitmap.Height); - ImageLength =3D sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * (Width * Heig= ht); + ImageLength =3D sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Wid= th * Height); Image->Bitmap =3D AllocateZeroPool (ImageLength); if (Image->Bitmap =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 @@ -1093,19 +1093,19 @@ HiiSetImage ( break; case EFI_HII_IIBT_IMAGE_8BIT: case EFI_HII_IIBT_IMAGE_8BIT_TRANS: OldBlockSize =3D sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT= 8) + BITMAP_LEN_8_BIT ( - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) = CurrentImageBlock)->Bitmap.Width), + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_= BLOCK *) CurrentImageBlock)->Bitmap.Width), ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) = CurrentImageBlock)->Bitmap.Height) ); break; case EFI_HII_IIBT_IMAGE_24BIT: case EFI_HII_IIBT_IMAGE_24BIT_TRANS: OldBlockSize =3D sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI= _HII_RGB_PIXEL) + BITMAP_LEN_24_BIT ( - ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT= _BLOCK *) CurrentImageBlock)->Bitmap.Width), + (UINT32) ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IM= AGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT= _BLOCK *) CurrentImageBlock)->Bitmap.Height) ); break; default: return EFI_NOT_FOUND; @@ -1113,11 +1113,11 @@ HiiSetImage ( =20 // // Create the new image block according to input image. // NewBlockSize =3D sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_H= II_RGB_PIXEL) + - BITMAP_LEN_24_BIT (Image->Width, Image->Height); + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height); // // Adjust the image package to remove the original block firstly then ad= d the new block. // ImageBlocks =3D AllocateZeroPool (ImagePackage->ImageBlockSize + NewBloc= kSize - OldBlockSize); if (ImageBlocks =3D=3D NULL) { @@ -1138,11 +1138,11 @@ HiiSetImage ( NewImageBlock->BlockType =3D EFI_HII_IIBT_IMAGE_24BIT; } WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImage= Block)->Bitmap.Width, Image->Width); WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImage= Block)->Bitmap.Height, Image->Height); CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImageBlock)->B= itmap.Bitmap, - Image->Bitmap, Image->Width * Image->Height); + Image->Bitmap, (UINT32) Image->Width * Image->Heigh= t); =20 CopyMem ((UINT8 *) NewImageBlock + NewBlockSize, (UINT8 *) CurrentImageB= lock + OldBlockSize, Part2Size); =20 FreePool (ImagePackage->ImageBlock); ImagePackage->ImageBlock =3D ImageBlocks; --=20 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel