1 files changed, 9 insertions, 4 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
index 1595c8c206..ebe04b50f5 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@@ -2664,14 +2664,20 @@ VariableServiceSetVariable (
     PayloadSize = DataSize;

   }

 

+  if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){

+    //

+    // Prevent whole variable size overflow 

+    // 

+    return EFI_INVALID_PARAMETER;

+  }

+

   //

   //  The size of the VariableName, including the Unicode Null in bytes plus

   //  the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)

   //  bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.

   //

   if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {

-    if ((PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||

-        (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {

+    if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {

       return EFI_INVALID_PARAMETER;

     }

     if (!IsHwErrRecVariable(VariableName, VendorGuid)) {

@@ -2682,8 +2688,7 @@ VariableServiceSetVariable (
     //  The size of the VariableName, including the Unicode Null in bytes plus

     //  the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.

     //

-    if ((PayloadSize > PcdGet32 (PcdMaxVariableSize)) ||

-        (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize))) {

+    if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {

       return EFI_INVALID_PARAMETER;

     }

   }