Check the value of Hdr.dwLength for signed EFI image before image validation.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting  <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13701 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 5 insertions, 1 deletions

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b3648bdee4..9ea3a28ad9 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1276,6 +1276,9 @@ DxeImageVerificationHandler (
     // Authenticode specification.

     //

     PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) WinCertificate;

+    if (PkcsCertData->Hdr.dwLength <= sizeof (PkcsCertData->Hdr)) {

+      goto Done;

+    }

     AuthData   = PkcsCertData->CertData;

     AuthDataSize = PkcsCertData->Hdr.dwLength - sizeof(PkcsCertData->Hdr);

     

@@ -1290,7 +1293,8 @@ DxeImageVerificationHandler (
     // The certificate is formatted as WIN_CERTIFICATE_UEFI_GUID which is described in UEFI Spec.

     //

     WinCertUefiGuid = (WIN_CERTIFICATE_UEFI_GUID *) WinCertificate;

-    if (!CompareGuid(&WinCertUefiGuid->CertType, &gEfiCertPkcs7Guid)) {

+    if (!CompareGuid(&WinCertUefiGuid->CertType, &gEfiCertPkcs7Guid) ||

+        (WinCertUefiGuid->Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData))) {

       goto Done;

     }

     AuthData = WinCertUefiGuid->CertData;