MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-)
An example:
The codes in function Output8bitPixel in Image.c:
OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
Both Image->Width and Ypos are of type UINT16. They will be promoted to
int (signed) first, and then perform the multiplication defined by macro
BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width and
Ypos exceeds the range of type int, a potential incorrect results
will be assigned to OffsetY.
This commit adds explicit UINT32 type cast for 'Image->Width' to avoid
possible overflow in the int range. And also fix similar issues in
HiiDatabase.
Cc: Eric Dong <eric.dong@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
---
MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
index e2fa16e..431a5b8 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
@@ -103,21 +103,21 @@ GetImageIdOrAddress (
case EFI_HII_IIBT_IMAGE_8BIT:
case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
Length = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
BITMAP_LEN_8_BIT (
- ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+ (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height)
);
ImageIdCurrent++;
break;
case EFI_HII_IIBT_IMAGE_24BIT:
case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
Length = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) +
BITMAP_LEN_24_BIT (
- ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+ (UINT32) ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height)
);
ImageIdCurrent++;
break;
@@ -451,11 +451,11 @@ Output8bitPixel (
//
// Convert the pixel from 8 bits to corresponding color.
//
for (Ypos = 0; Ypos < Image->Height; Ypos++) {
- OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
+ OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
//
// All bits are meaningful since the bitmap is 8 bits per pixel.
//
for (Xpos = 0; Xpos < Image->Width; Xpos++) {
Byte = *(Data + OffsetY + Xpos);
@@ -491,11 +491,11 @@ Output24bitPixel (
ASSERT (Image != NULL && Data != NULL);
BitMapPtr = Image->Bitmap;
for (Ypos = 0; Ypos < Image->Height; Ypos++) {
- OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
+ OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
CopyRgbToGopPixel (&BitMapPtr[OffsetY], &Data[OffsetY], Image->Width);
}
}
@@ -648,11 +648,11 @@ HiiNewImage (
if (PackageListNode == NULL) {
return EFI_NOT_FOUND;
}
NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) +
- BITMAP_LEN_24_BIT (Image->Width, Image->Height);
+ BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
//
// Get the image package in the package list,
// or create a new image package if image package does not exist.
//
@@ -751,11 +751,11 @@ HiiNewImage (
} else {
ImageBlocks->BlockType = EFI_HII_IIBT_IMAGE_24BIT;
}
WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bitmap.Width, Image->Width);
WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bitmap.Height, Image->Height);
- CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bitmap.Bitmap, Image->Bitmap, Image->Width * Image->Height);
+ CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)->Bitmap.Bitmap, Image->Bitmap, (UINT32) Image->Width * Image->Height);
//
// Append the block end
//
ImageBlocks = (EFI_HII_IMAGE_BLOCK *) ((UINT8 *) ImageBlocks + NewBlockSize);
@@ -894,11 +894,11 @@ IGetImage (
//
// Use the common block code since the definition of these structures is the same.
//
CopyMem (&Iibt1bit, CurrentImageBlock, sizeof (EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
- (Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
+ ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
Image->Bitmap = AllocateZeroPool (ImageLength);
if (Image->Bitmap == NULL) {
return EFI_OUT_OF_RESOURCES;
}
@@ -945,11 +945,11 @@ IGetImage (
// fall through
//
case EFI_HII_IIBT_IMAGE_24BIT:
Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width);
Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height);
- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * (Width * Height);
+ ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Width * Height);
Image->Bitmap = AllocateZeroPool (ImageLength);
if (Image->Bitmap == NULL) {
return EFI_OUT_OF_RESOURCES;
}
@@ -1093,19 +1093,19 @@ HiiSetImage (
break;
case EFI_HII_IIBT_IMAGE_8BIT:
case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
BITMAP_LEN_8_BIT (
- ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+ (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height)
);
break;
case EFI_HII_IIBT_IMAGE_24BIT:
case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) +
BITMAP_LEN_24_BIT (
- ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+ (UINT32) ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height)
);
break;
default:
return EFI_NOT_FOUND;
@@ -1113,11 +1113,11 @@ HiiSetImage (
//
// Create the new image block according to input image.
//
NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) +
- BITMAP_LEN_24_BIT (Image->Width, Image->Height);
+ BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
//
// Adjust the image package to remove the original block firstly then add the new block.
//
ImageBlocks = AllocateZeroPool (ImagePackage->ImageBlockSize + NewBlockSize - OldBlockSize);
if (ImageBlocks == NULL) {
@@ -1138,11 +1138,11 @@ HiiSetImage (
NewImageBlock->BlockType = EFI_HII_IIBT_IMAGE_24BIT;
}
WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImageBlock)->Bitmap.Width, Image->Width);
WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImageBlock)->Bitmap.Height, Image->Height);
CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) NewImageBlock)->Bitmap.Bitmap,
- Image->Bitmap, Image->Width * Image->Height);
+ Image->Bitmap, (UINT32) Image->Width * Image->Height);
CopyMem ((UINT8 *) NewImageBlock + NewBlockSize, (UINT8 *) CurrentImageBlock + OldBlockSize, Part2Size);
FreePool (ImagePackage->ImageBlock);
ImagePackage->ImageBlock = ImageBlocks;
--
1.9.5.msysgit.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Best Regards,
Hao Wu
> -----Original Message-----
> From: Bi, Dandan
> Sent: Wednesday, April 12, 2017 3:09 PM
> To: edk2-devel@lists.01.org
> Cc: Dong, Eric; Gao, Liming; Wu, Hao A
> Subject: [patch] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication
>
> An example:
> The codes in function Output8bitPixel in Image.c:
> OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
>
> Both Image->Width and Ypos are of type UINT16. They will be promoted to
> int (signed) first, and then perform the multiplication defined by macro
> BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width and
> Ypos exceeds the range of type int, a potential incorrect results
> will be assigned to OffsetY.
>
> This commit adds explicit UINT32 type cast for 'Image->Width' to avoid
> possible overflow in the int range. And also fix similar issues in
> HiiDatabase.
>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Hao Wu <hao.a.wu@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Dandan Bi <dandan.bi@intel.com>
> ---
> MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 24 ++++++++++++---------
> ---
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
> b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
> index e2fa16e..431a5b8 100644
> --- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
> +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
> @@ -103,21 +103,21 @@ GetImageIdOrAddress (
>
> case EFI_HII_IIBT_IMAGE_8BIT:
> case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
> Length = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
> BITMAP_LEN_8_BIT (
> - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Width),
> + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Width),
> ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Height)
> );
> ImageIdCurrent++;
> break;
>
> case EFI_HII_IIBT_IMAGE_24BIT:
> case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
> Length = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
> (EFI_HII_RGB_PIXEL) +
> BITMAP_LEN_24_BIT (
> - ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Width),
> + (UINT32) ReadUnaligned16 ((VOID *)
> &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
> ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Height)
> );
> ImageIdCurrent++;
> break;
>
> @@ -451,11 +451,11 @@ Output8bitPixel (
>
> //
> // Convert the pixel from 8 bits to corresponding color.
> //
> for (Ypos = 0; Ypos < Image->Height; Ypos++) {
> - OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
> + OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
> //
> // All bits are meaningful since the bitmap is 8 bits per pixel.
> //
> for (Xpos = 0; Xpos < Image->Width; Xpos++) {
> Byte = *(Data + OffsetY + Xpos);
> @@ -491,11 +491,11 @@ Output24bitPixel (
> ASSERT (Image != NULL && Data != NULL);
>
> BitMapPtr = Image->Bitmap;
>
> for (Ypos = 0; Ypos < Image->Height; Ypos++) {
> - OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
> + OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
> CopyRgbToGopPixel (&BitMapPtr[OffsetY], &Data[OffsetY], Image->Width);
> }
>
> }
>
> @@ -648,11 +648,11 @@ HiiNewImage (
> if (PackageListNode == NULL) {
> return EFI_NOT_FOUND;
> }
>
> NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
> (EFI_HII_RGB_PIXEL) +
> - BITMAP_LEN_24_BIT (Image->Width, Image->Height);
> + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
>
> //
> // Get the image package in the package list,
> // or create a new image package if image package does not exist.
> //
> @@ -751,11 +751,11 @@ HiiNewImage (
> } else {
> ImageBlocks->BlockType = EFI_HII_IIBT_IMAGE_24BIT;
> }
> WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> ImageBlocks)->Bitmap.Width, Image->Width);
> WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> ImageBlocks)->Bitmap.Height, Image->Height);
> - CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)-
> >Bitmap.Bitmap, Image->Bitmap, Image->Width * Image->Height);
> + CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)-
> >Bitmap.Bitmap, Image->Bitmap, (UINT32) Image->Width * Image->Height);
>
> //
> // Append the block end
> //
> ImageBlocks = (EFI_HII_IMAGE_BLOCK *) ((UINT8 *) ImageBlocks +
> NewBlockSize);
> @@ -894,11 +894,11 @@ IGetImage (
> //
> // Use the common block code since the definition of these structures is the
> same.
> //
> CopyMem (&Iibt1bit, CurrentImageBlock, sizeof
> (EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
> ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
> - (Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
> + ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
> Image->Bitmap = AllocateZeroPool (ImageLength);
> if (Image->Bitmap == NULL) {
> return EFI_OUT_OF_RESOURCES;
> }
>
> @@ -945,11 +945,11 @@ IGetImage (
> // fall through
> //
> case EFI_HII_IIBT_IMAGE_24BIT:
> Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK
> *) CurrentImageBlock)->Bitmap.Width);
> Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK
> *) CurrentImageBlock)->Bitmap.Height);
> - ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * (Width *
> Height);
> + ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32)
> Width * Height);
> Image->Bitmap = AllocateZeroPool (ImageLength);
> if (Image->Bitmap == NULL) {
> return EFI_OUT_OF_RESOURCES;
> }
>
> @@ -1093,19 +1093,19 @@ HiiSetImage (
> break;
> case EFI_HII_IIBT_IMAGE_8BIT:
> case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
> OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
> BITMAP_LEN_8_BIT (
> - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Width),
> + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK
> *) CurrentImageBlock)->Bitmap.Width),
> ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Height)
> );
> break;
> case EFI_HII_IIBT_IMAGE_24BIT:
> case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
> OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
> (EFI_HII_RGB_PIXEL) +
> BITMAP_LEN_24_BIT (
> - ReadUnaligned16 ((VOID *)
> &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
> + (UINT32) ReadUnaligned16 ((VOID *)
> &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
> ReadUnaligned16 ((VOID *)
> &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height)
> );
> break;
> default:
> return EFI_NOT_FOUND;
> @@ -1113,11 +1113,11 @@ HiiSetImage (
>
> //
> // Create the new image block according to input image.
> //
> NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
> (EFI_HII_RGB_PIXEL) +
> - BITMAP_LEN_24_BIT (Image->Width, Image->Height);
> + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
> //
> // Adjust the image package to remove the original block firstly then add the
> new block.
> //
> ImageBlocks = AllocateZeroPool (ImagePackage->ImageBlockSize +
> NewBlockSize - OldBlockSize);
> if (ImageBlocks == NULL) {
> @@ -1138,11 +1138,11 @@ HiiSetImage (
> NewImageBlock->BlockType = EFI_HII_IIBT_IMAGE_24BIT;
> }
> WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> NewImageBlock)->Bitmap.Width, Image->Width);
> WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> NewImageBlock)->Bitmap.Height, Image->Height);
> CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> NewImageBlock)->Bitmap.Bitmap,
> - Image->Bitmap, Image->Width * Image->Height);
> + Image->Bitmap, (UINT32) Image->Width * Image->Height);
>
> CopyMem ((UINT8 *) NewImageBlock + NewBlockSize, (UINT8 *)
> CurrentImageBlock + OldBlockSize, Part2Size);
>
> FreePool (ImagePackage->ImageBlock);
> ImagePackage->ImageBlock = ImageBlocks;
> --
> 1.9.5.msysgit.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
© 2016 - 2024 Red Hat, Inc.