From 99f675941128d3e7288e953db47b21f757774b63 Mon Sep 17 00:00:00 2001 From: vanjeff Date: Mon, 27 Jul 2009 02:23:19 +0000 Subject: Enhanced BMP file security check. git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9010 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Foundation/Library/Dxe/Graphics/Graphics.c | 20 ++++++++++++++------ .../Foundation/Library/Dxe/GraphicsLite/Graphics.c | 20 ++++++++++++++------ 2 files changed, 28 insertions(+), 12 deletions(-) (limited to 'EdkCompatibilityPkg') diff --git a/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c b/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c index 61929d5bd9..0844a6f30d 100644 --- a/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c +++ b/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c @@ -1,6 +1,6 @@ /*++ -Copyright (c) 2004 - 2007, Intel Corporation +Copyright (c) 2004 - 2009, Intel Corporation All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -157,7 +157,7 @@ Returns: BMP_COLOR_MAP *BmpColorMap; EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer; EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt; - UINTN BltBufferSize; + UINT64 BltBufferSize; UINTN Index; UINTN Height; UINTN Width; @@ -185,18 +185,26 @@ Returns: Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset; ImageHeader = Image; - BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); + BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight); + // + // Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow + // + if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) { + return EFI_UNSUPPORTED; + } + BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); + IsAllocated = FALSE; if (*GopBlt == NULL) { - *GopBltSize = BltBufferSize; + *GopBltSize = (UINTN) BltBufferSize; *GopBlt = EfiLibAllocatePool (*GopBltSize); IsAllocated = TRUE; if (*GopBlt == NULL) { return EFI_OUT_OF_RESOURCES; } } else { - if (*GopBltSize < BltBufferSize) { - *GopBltSize = BltBufferSize; + if (*GopBltSize < (UINTN) BltBufferSize) { + *GopBltSize = (UINTN) BltBufferSize; return EFI_BUFFER_TOO_SMALL; } } diff --git a/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c b/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c index 0f0c6f2010..739c735d92 100644 --- a/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c +++ b/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c @@ -1,6 +1,6 @@ /*++ -Copyright (c) 2004 - 2006, Intel Corporation +Copyright (c) 2004 - 2009, Intel Corporation All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -158,7 +158,7 @@ Returns: BMP_COLOR_MAP *BmpColorMap; EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer; EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt; - UINTN BltBufferSize; + UINT64 BltBufferSize; UINTN Index; UINTN Height; UINTN Width; @@ -186,18 +186,26 @@ Returns: Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset; ImageHeader = Image; - BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); + BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight); + // + // Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow + // + if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) { + return EFI_UNSUPPORTED; + } + BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); + IsAllocated = FALSE; if (*GopBlt == NULL) { - *GopBltSize = BltBufferSize; + *GopBltSize = (UINTN) BltBufferSize; *GopBlt = EfiLibAllocatePool (*GopBltSize); IsAllocated = TRUE; if (*GopBlt == NULL) { return EFI_OUT_OF_RESOURCES; } } else { - if (*GopBltSize < BltBufferSize) { - *GopBltSize = BltBufferSize; + if (*GopBltSize < (UINTN) BltBufferSize) { + *GopBltSize = (UINTN) BltBufferSize; return EFI_BUFFER_TOO_SMALL; } } -- cgit v1.2.3