Check InternalAllocPoolByIndex status before refer buffer.

Original code refers FreePoolHdr without check Status. It is obvious wrong and has risk.

Aslo, if InternalAllocPoolByIndex() returns an error, then *FreePoolHdr is assigned to an uninitialized value. So we init Hdr be NULL.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Zeng, Star" <star.zeng@intel.com>
Reviewed-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: "Fan, Jeff" <jeff.fan@intel.com>
Reviewed-by: "Kinney, Michael D" <michael.d.kinney@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18932 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 5 insertions, 2 deletions

diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c b/MdeModulePkg/Core/PiSmmCore/Pool.c
index 34dcc93f1a..761988e416 100644
--- a/MdeModulePkg/Core/PiSmmCore/Pool.c
+++ b/MdeModulePkg/Core/PiSmmCore/Pool.c
@@ -1,7 +1,7 @@
 /** @file

   SMM Memory pool management functions.

 

-  Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>

+  Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>

   This program and the accompanying materials are licensed and made available 

   under the terms and conditions of the BSD License which accompanies this 

   distribution.  The full text of the license may be found at        

@@ -120,6 +120,7 @@ InternalAllocPoolByIndex (
 

   ASSERT (PoolIndex <= MAX_POOL_INDEX);

   Status = EFI_SUCCESS;

+  Hdr = NULL;

   if (PoolIndex == MAX_POOL_INDEX) {

     Status = SmmInternalAllocatePages (AllocateAnyPages, EfiRuntimeServicesData, EFI_SIZE_TO_PAGES (MAX_POOL_SIZE << 1), &Address);

     if (EFI_ERROR (Status)) {

@@ -228,7 +229,9 @@ SmmInternalAllocatePool (
   }

 

   Status = InternalAllocPoolByIndex (PoolIndex, &FreePoolHdr);

-  *Buffer = &FreePoolHdr->Header + 1;

+  if (!EFI_ERROR(Status)) {

+    *Buffer = &FreePoolHdr->Header + 1;

+  }

   return Status;

 }