diff options
| author | Hao Wu <hao.a.wu@intel.com> | 2015-07-13 01:23:14 +0000 |
|---|---|---|
| committer | hwu1225 <hwu1225@Edk2> | 2015-07-13 01:23:14 +0000 |
| commit | a3c9617ea6a02c2ac747cf274fe9025f2d42c9bb (patch) | |
| tree | 433e8189945827d08fc1f92390afc1df6fc50b2c | |
| parent | 83daa931dc58e708ac446271a2883d6b73bd77ae (diff) | |
| download | edk2-platforms-a3c9617ea6a02c2ac747cf274fe9025f2d42c9bb.tar.xz | |
IntelFrameworkModulePkg BootMaint: Fix potential read over memory boundary
This commit will resolve the issue brought by r17736.
Str = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);
The above using of AllocateCopyPool() will read contents out of the scope
of Str1. Potential risk for Str1 allocated at the boundary of memory
region.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qiu Shumin <shumin.qiu@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17931 6f19259b-4bc3-4df7-8a09-765794883524
| -rw-r--r-- | IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c index 1519315d40..56bcfab23f 100644 --- a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c +++ b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c @@ -1096,12 +1096,13 @@ BOpt_AppendFileName ( Size1 = StrSize (Str1);
Size2 = StrSize (Str2);
MaxLen = (Size1 + Size2 + sizeof (CHAR16)) / sizeof (CHAR16);
- Str = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);
+ Str = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (Str != NULL);
TmpStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (TmpStr != NULL);
+ StrCatS (Str, MaxLen, Str1);
if (!((*Str == '\\') && (*(Str + 1) == 0))) {
StrCatS (Str, MaxLen, L"\\");
}
|