diff options
| author | ydong10 <ydong10@6f19259b-4bc3-4df7-8a09-765794883524> | 2012-04-11 07:56:50 +0000 |
|---|---|---|
| committer | ydong10 <ydong10@6f19259b-4bc3-4df7-8a09-765794883524> | 2012-04-11 07:56:50 +0000 |
| commit | a46c36572d080dbd6c674e156b5ec486517c67c1 (patch) | |
| tree | e7855f3f170b420d79fdb36a943e48d450360758 /EdkCompatibilityPkg | |
| parent | ba46ab947991655c105774dfea4745c3493d3864 (diff) | |
| download | edk2-platforms-a46c36572d080dbd6c674e156b5ec486517c67c1.tar.xz | |
Add more check for the bmp file to avoid access violation.
Signed-off-by: Dong Eric <eric.dong@intel.com>
Reviewed-by: Gao Liming <liming.gao@intel.com>
Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13185 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'EdkCompatibilityPkg')
| -rw-r--r-- | EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c | 58 | ||||
| -rw-r--r-- | EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c | 58 |
2 files changed, 114 insertions, 2 deletions
diff --git a/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c b/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c index 6a8183e131..9549217388 100644 --- a/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c +++ b/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c @@ -1,6 +1,6 @@ /*++
-Copyright (c) 2004 - 2010, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -162,22 +162,78 @@ Returns: UINTN Height;
UINTN Width;
UINTN ImageIndex;
+ UINTN DataSizePerLine;
BOOLEAN IsAllocated;
+ UINT32 ColorMapNum;
+
+ if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {
+ return EFI_INVALID_PARAMETER;
+ }
BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;
+
if (BmpHeader->CharB != 'B' || BmpHeader->CharM != 'M') {
return EFI_UNSUPPORTED;
}
+ //
+ // Doesn't support compress.
+ //
if (BmpHeader->CompressionType != 0) {
return EFI_UNSUPPORTED;
}
//
+ // Only support BITMAPINFOHEADER format.
+ // BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER
+ //
+ if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - ((UINTN) &(((BMP_IMAGE_HEADER *)0)->HeaderSize))) {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // The data size in each line must be 4 byte alignment.
+ //
+ DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);
+ BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);
+ if (BltBufferSize > (UINT32) ~0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((BmpHeader->Size != BmpImageSize) ||
+ (BmpHeader->Size < BmpHeader->ImageOffset) ||
+ (BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
// Calculate Color Map offset in the image.
//
Image = BmpImage;
BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));
+ if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {
+ switch (BmpHeader->BitPerPixel) {
+ case 1:
+ ColorMapNum = 2;
+ break;
+ case 4:
+ ColorMapNum = 16;
+ break;
+ case 8:
+ ColorMapNum = 256;
+ break;
+ default:
+ ColorMapNum = 0;
+ break;
+ }
+ if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) != sizeof (BMP_COLOR_MAP) * ColorMapNum) {
+ return EFI_INVALID_PARAMETER;
+ }
+ }
//
// Calculate graphics image data address in the image
diff --git a/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c b/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c index cfdccc5455..5123aacf45 100644 --- a/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c +++ b/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c @@ -1,6 +1,6 @@ /*++
-Copyright (c) 2004 - 2010, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -163,22 +163,78 @@ Returns: UINTN Height;
UINTN Width;
UINTN ImageIndex;
+ UINTN DataSizePerLine;
BOOLEAN IsAllocated;
+ UINT32 ColorMapNum;
+
+ if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {
+ return EFI_INVALID_PARAMETER;
+ }
BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;
+
if (BmpHeader->CharB != 'B' || BmpHeader->CharM != 'M') {
return EFI_UNSUPPORTED;
}
+ //
+ // Doesn't support compress.
+ //
if (BmpHeader->CompressionType != 0) {
return EFI_UNSUPPORTED;
}
//
+ // Only support BITMAPINFOHEADER format.
+ // BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER
+ //
+ if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - ((UINTN) &(((BMP_IMAGE_HEADER *)0)->HeaderSize))) {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // The data size in each line must be 4 byte alignment.
+ //
+ DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);
+ BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);
+ if (BltBufferSize > (UINT32) ~0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((BmpHeader->Size != BmpImageSize) ||
+ (BmpHeader->Size < BmpHeader->ImageOffset) ||
+ (BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
// Calculate Color Map offset in the image.
//
Image = BmpImage;
BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));
+ if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {
+ switch (BmpHeader->BitPerPixel) {
+ case 1:
+ ColorMapNum = 2;
+ break;
+ case 4:
+ ColorMapNum = 16;
+ break;
+ case 8:
+ ColorMapNum = 256;
+ break;
+ default:
+ ColorMapNum = 0;
+ break;
+ }
+ if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) != sizeof (BMP_COLOR_MAP) * ColorMapNum) {
+ return EFI_INVALID_PARAMETER;
+ }
+ }
//
// Calculate graphics image data address in the image
|