diff options
| author | ydong10 <ydong10@6f19259b-4bc3-4df7-8a09-765794883524> | 2012-04-11 07:56:50 +0000 |
|---|---|---|
| committer | ydong10 <ydong10@6f19259b-4bc3-4df7-8a09-765794883524> | 2012-04-11 07:56:50 +0000 |
| commit | a46c36572d080dbd6c674e156b5ec486517c67c1 (patch) | |
| tree | e7855f3f170b420d79fdb36a943e48d450360758 /MdeModulePkg | |
| parent | ba46ab947991655c105774dfea4745c3493d3864 (diff) | |
| download | edk2-platforms-a46c36572d080dbd6c674e156b5ec486517c67c1.tar.xz | |
Add more check for the bmp file to avoid access violation.
Signed-off-by: Dong Eric <eric.dong@intel.com>
Reviewed-by: Gao Liming <liming.gao@intel.com>
Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13185 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'MdeModulePkg')
| -rw-r--r-- | MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.c | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.c b/MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.c index d365985389..df770fc647 100644 --- a/MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.c +++ b/MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.c @@ -157,6 +157,8 @@ SetBootLogo ( IN UINTN Height
)
{
+ UINT64 BufferSize;
+
if (BltBuffer == NULL) {
mIsLogoValid = FALSE;
mAcpiBgrtStatusChanged = TRUE;
@@ -172,9 +174,24 @@ SetBootLogo ( FreePool (mLogoBltBuffer);
mLogoBltBuffer = NULL;
}
+
+ //
+ // Ensure the Height * Width doesn't overflow
+ //
+ if (Height > DivU64x64Remainder ((UINTN) ~0, Width, NULL)) {
+ return EFI_UNSUPPORTED;
+ }
+ BufferSize = MultU64x64 (Width, Height);
+
+ //
+ // Ensure the BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
+ //
+ if (BufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
+ return EFI_UNSUPPORTED;
+ }
mLogoBltBuffer = AllocateCopyPool (
- Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL),
+ (UINTN)BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL),
BltBuffer
);
if (mLogoBltBuffer == NULL) {
@@ -330,6 +347,21 @@ InstallBootGraphicsResourceTable ( // Allocate memory for BMP file.
//
PaddingSize = mLogoWidth & 0x3;
+
+ //
+ // First check mLogoWidth * 3 + PaddingSize doesn't overflow
+ //
+ if (mLogoWidth > (((UINT32) ~0) - PaddingSize) / 3 ) {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // Second check (mLogoWidth * 3 + PaddingSize) * mLogoHeight + sizeof (BMP_IMAGE_HEADER) doesn't overflow
+ //
+ if (mLogoHeight > (((UINT32) ~0) - sizeof (BMP_IMAGE_HEADER)) / (mLogoWidth * 3 + PaddingSize)) {
+ return EFI_UNSUPPORTED;
+ }
+
BmpSize = (mLogoWidth * 3 + PaddingSize) * mLogoHeight + sizeof (BMP_IMAGE_HEADER);
ImageBuffer = BgrtAllocateReservedMemoryBelow4G (BmpSize);
if (ImageBuffer == NULL) {
|