From nobody Mon Apr 29 13:45:15 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1491877083507983.0654062993574; Mon, 10 Apr 2017 19:18:03 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id C582D21939252; Mon, 10 Apr 2017 19:17:30 -0700 (PDT) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8391D21939230 for ; Mon, 10 Apr 2017 19:17:29 -0700 (PDT) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Apr 2017 19:17:29 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by orsmga001.jf.intel.com with ESMTP; 10 Apr 2017 19:17:28 -0700 X-Original-To: edk2-devel@lists.01.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=intel; t=1491877049; x=1523413049; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=EJ1UL4B+gJEIy+1j56IDVo6AATT0JuQ+3Nllaz8Z4DQ=; b=T1xrMtyyrEtrO9PeWlo+xnE4BLaFv1hDPd4ypC8MaJxRFmhCHNEqIBMW iNB+A8+9Z+xemHY3ZmYJVFHWE9f7XA==; X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,184,1488873600"; d="scan'208";a="1117994657" From: Hao Wu To: edk2-devel@lists.01.org Date: Tue, 11 Apr 2017 10:17:23 +0800 Message-Id: <20170411021724.16688-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170411021724.16688-1-hao.a.wu@intel.com> References: <20170411021724.16688-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 1/2] MdePkg/UefiLib: Avoid mis-calculate of graphic console size X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The commit adds check in function InternalPrintGraphic() to ensure that the expression: Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) will not overflow in the UINTN range. The commit also adds an explicit UINT32 type cast for 'Blt->Width' to avoid possible overflow in the int range for: Blt->Width * Blt->Height Since both Blt->Width and Blt->Height are of type UINT16. They will be promoted to int (signed) first, and then perform the multiplication operation. If the result of multiplication between Blt->Width and Blt->Height exceeds the range of type int, a potential incorrect size will be passed into funciton AllocateZeroPool(). Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu Reviewed-by: Liming Gao --- MdePkg/Library/UefiLib/UefiLibPrint.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/UefiLib/UefiLibPrint.c b/MdePkg/Library/UefiLib= /UefiLibPrint.c index 9f52e7d0ce..5527f8e7a8 100644 --- a/MdePkg/Library/UefiLib/UefiLibPrint.c +++ b/MdePkg/Library/UefiLib/UefiLibPrint.c @@ -2,7 +2,7 @@ Mde UEFI library API implementation. Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE =20 - Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License which accompanies this distribution. The full text of the license may b= e found at @@ -474,7 +474,14 @@ InternalPrintGraphic ( } else if (FeaturePcdGet (PcdUgaConsumeSupport)) { ASSERT (UgaDraw!=3D NULL); =20 - Blt->Image.Bitmap =3D AllocateZeroPool (Blt->Width * Blt->Height * siz= eof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); + // + // Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) does= n't overflow. + // + if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof (EFI_GRAPH= ICS_OUTPUT_BLT_PIXEL))) { + goto Error; + } + + Blt->Image.Bitmap =3D AllocateZeroPool ((UINT32) Blt->Width * Blt->Hei= ght * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); ASSERT (Blt->Image.Bitmap !=3D NULL); =20 // --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Apr 29 13:45:15 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1491877085257504.30312204527763; Mon, 10 Apr 2017 19:18:05 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 05B0E21DFA7AF; Mon, 10 Apr 2017 19:17:32 -0700 (PDT) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1739120D764AD for ; Mon, 10 Apr 2017 19:17:31 -0700 (PDT) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Apr 2017 19:17:30 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by orsmga001.jf.intel.com with ESMTP; 10 Apr 2017 19:17:29 -0700 X-Original-To: edk2-devel@lists.01.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=intel; t=1491877051; x=1523413051; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=jdoyghb8PIUutKjc4yH9gFcbc4lEYQgQY/AH2iHZrvU=; b=Z/LTWNcu41J1TNgr+IoasN8wPrEXHfyfQnMi36K1pw0ZHYiC2UosfIV6 WRf9W+yiK5oh4vREp+VFqJ3hJ0zVBQ==; X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,184,1488873600"; d="scan'208";a="1117994664" From: Hao Wu To: edk2-devel@lists.01.org Date: Tue, 11 Apr 2017 10:17:24 +0800 Message-Id: <20170411021724.16688-3-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170411021724.16688-1-hao.a.wu@intel.com> References: <20170411021724.16688-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 2/2] IntelFrameworkPkg/UefiLib: Avoid mis-calculate of graphic console size X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The commit adds check in function InternalPrintGraphic() to ensure that the expression: Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) will not overflow in the UINTN range. The commit also adds an explicit UINT32 type cast for 'Blt->Width' to avoid possible overflow in the int range for: Blt->Width * Blt->Height Since both Blt->Width and Blt->Height are of type UINT16. They will be promoted to int (signed) first, and then perform the multiplication operation. If the result of multiplication between Blt->Width and Blt->Height exceeds the range of type int, a potential incorrect size will be passed into funciton AllocateZeroPool(). Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu Reviewed-by: Liming Gao --- IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c b/In= telFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c index f0dcf9fb25..6f06efbe05 100644 --- a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c +++ b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c @@ -2,7 +2,7 @@ Mde UEFI library API implementation. Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE =20 - Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License which accompanies this distribution. The full text of the license may b= e found at @@ -474,7 +474,14 @@ InternalPrintGraphic ( } else if (FeaturePcdGet (PcdUgaConsumeSupport)) { ASSERT (UgaDraw!=3D NULL); =20 - Blt->Image.Bitmap =3D AllocateZeroPool (Blt->Width * Blt->Height * siz= eof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); + // + // Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) does= n't overflow. + // + if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof (EFI_GRAPH= ICS_OUTPUT_BLT_PIXEL))) { + goto Error; + } + + Blt->Image.Bitmap =3D AllocateZeroPool ((UINT32) Blt->Width * Blt->Hei= ght * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); ASSERT (Blt->Image.Bitmap !=3D NULL); =20 // --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel