summaryrefslogtreecommitdiff
path: root/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c
diff options
context:
space:
mode:
authorydong10 <ydong10@6f19259b-4bc3-4df7-8a09-765794883524>2012-04-11 07:56:50 +0000
committerydong10 <ydong10@6f19259b-4bc3-4df7-8a09-765794883524>2012-04-11 07:56:50 +0000
commita46c36572d080dbd6c674e156b5ec486517c67c1 (patch)
treee7855f3f170b420d79fdb36a943e48d450360758 /IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c
parentba46ab947991655c105774dfea4745c3493d3864 (diff)
downloadedk2-platforms-a46c36572d080dbd6c674e156b5ec486517c67c1.tar.xz
Add more check for the bmp file to avoid access violation.
Signed-off-by: Dong Eric <eric.dong@intel.com> Reviewed-by: Gao Liming <liming.gao@intel.com> Reviewed-by: Zhang Chao <chao.b.zhang@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13185 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c')
-rw-r--r--IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c74
1 files changed, 71 insertions, 3 deletions
diff --git a/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c b/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c
index 4fca0f3b12..1ded13637d 100644
--- a/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c
+++ b/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsConsole.c
@@ -601,7 +601,13 @@ ConvertBmpToGopBlt (
UINTN Height;
UINTN Width;
UINTN ImageIndex;
+ UINT32 DataSizePerLine;
BOOLEAN IsAllocated;
+ UINT32 ColorMapNum;
+
+ if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {
+ return EFI_INVALID_PARAMETER;
+ }
BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;
@@ -617,10 +623,56 @@ ConvertBmpToGopBlt (
}
//
+ // Only support BITMAPINFOHEADER format.
+ // BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER
+ //
+ if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - OFFSET_OF(BMP_IMAGE_HEADER, HeaderSize)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // The data size in each line must be 4 byte alignment.
+ //
+ DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);
+ BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);
+ if (BltBufferSize > (UINT32) ~0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((BmpHeader->Size != BmpImageSize) ||
+ (BmpHeader->Size < BmpHeader->ImageOffset) ||
+ (BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
// Calculate Color Map offset in the image.
//
Image = BmpImage;
BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));
+ if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {
+ switch (BmpHeader->BitPerPixel) {
+ case 1:
+ ColorMapNum = 2;
+ break;
+ case 4:
+ ColorMapNum = 16;
+ break;
+ case 8:
+ ColorMapNum = 256;
+ break;
+ default:
+ ColorMapNum = 0;
+ break;
+ }
+ if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) != sizeof (BMP_COLOR_MAP) * ColorMapNum) {
+ return EFI_INVALID_PARAMETER;
+ }
+ }
//
// Calculate graphics image data address in the image
@@ -636,8 +688,8 @@ ConvertBmpToGopBlt (
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
//
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
- return EFI_UNSUPPORTED;
- }
+ return EFI_UNSUPPORTED;
+ }
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
IsAllocated = FALSE;
@@ -798,6 +850,7 @@ EnableQuietBoot (
UINTN NewDestY;
UINTN NewHeight;
UINTN NewWidth;
+ UINT64 BufferSize;
UgaDraw = NULL;
//
@@ -1082,7 +1135,22 @@ Done:
FreePool (Blt);
}
- LogoBlt = AllocateZeroPool (LogoWidth * LogoHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
+ //
+ // Ensure the LogoHeight * LogoWidth doesn't overflow
+ //
+ if (LogoHeight > DivU64x64Remainder ((UINTN) ~0, LogoWidth, NULL)) {
+ return EFI_UNSUPPORTED;
+ }
+ BufferSize = MultU64x64 (LogoWidth, LogoHeight);
+
+ //
+ // Ensure the BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
+ //
+ if (BufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
+ return EFI_UNSUPPORTED;
+ }
+
+ LogoBlt = AllocateZeroPool ((UINTN)BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
if (LogoBlt == NULL) {
return EFI_OUT_OF_RESOURCES;
}