From b0c2b79738fc50ccf52c44afcddaee52e9108c4f Mon Sep 17 00:00:00 2001 From: Qiu Shumin Date: Tue, 15 Dec 2015 08:40:55 +0000 Subject: MdeModulePkg: Add NULL pointer check for RegularExpressionDxe. Refine code by adding NULL pointer check to avoid potential NULL pointer dereferenced. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qiu Shumin Reviewed-by: Samer El-Haj-Mahmoud git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19271 6f19259b-4bc3-4df7-8a09-765794883524 --- .../RegularExpressionDxe/Oniguruma/enc/unicode.c | 2 +- .../Universal/RegularExpressionDxe/Oniguruma/regcomp.c | 14 ++++++++++++-- .../Universal/RegularExpressionDxe/Oniguruma/regerror.c | 4 ++++ .../Universal/RegularExpressionDxe/Oniguruma/regexec.c | 8 +++++++- .../Universal/RegularExpressionDxe/Oniguruma/regparse.c | 15 +++++++++++++++ .../Universal/RegularExpressionDxe/Oniguruma/st.c | 7 +++++++ .../Universal/RegularExpressionDxe/RegularExpressionDxe.c | 4 ++++ 7 files changed, 50 insertions(+), 4 deletions(-) (limited to 'MdeModulePkg') diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/enc/unicode.c b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/enc/unicode.c index a9066703b8..6747b3d839 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/enc/unicode.c +++ b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/enc/unicode.c @@ -11239,7 +11239,7 @@ onigenc_unicode_get_case_fold_codes_by_str(OnigEncoding enc, } else if ((flag & INTERNAL_ONIGENC_CASE_FOLD_MULTI_CHAR) != 0) { OnigCodePoint cs[3][4]; - int fn, ncs[3]; + int fn, ncs[3]={0, 0, 0}; for (fn = 0; fn < to->n; fn++) { cs[fn][0] = to->code[fn]; diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c index 25b768b79b..891dd3a9e8 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c +++ b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c @@ -1248,6 +1248,9 @@ compile_length_enclose_node(EncloseNode* node, regex_t* reg) case ENCLOSE_STOP_BACKTRACK: if (IS_ENCLOSE_STOP_BT_SIMPLE_REPEAT(node)) { + if (node->target == NULL) { + CHECK_NULL_RETURN_MEMERR(node->target); + } QtfrNode* qn = NQTFR(node->target); tlen = compile_length_tree(qn->target, reg); if (tlen < 0) return tlen; @@ -3263,6 +3266,7 @@ expand_case_fold_string_alt(int item_num, OnigCaseFoldCodeItem items[], int r, i, j, len, varlen; Node *anode, *var_anode, *snode, *xnode, *an; UChar buf[ONIGENC_CODE_TO_MBC_MAXLEN]; + xnode = NULL_NODE; *rnode = var_anode = NULL_NODE; @@ -3317,7 +3321,7 @@ expand_case_fold_string_alt(int item_num, OnigCaseFoldCodeItem items[], } if (items[i].byte_len != slen) { - Node *rem; + Node *rem = NULL_NODE; UChar *q = p + items[i].byte_len; if (q < end) { @@ -3346,6 +3350,12 @@ expand_case_fold_string_alt(int item_num, OnigCaseFoldCodeItem items[], NCAR(an) = snode; } + if (var_anode == NULL) { + onig_node_free(an); + onig_node_free(xnode); + onig_node_free(rem); + goto mem_err2; + } NCDR(var_anode) = an; var_anode = an; } @@ -5304,7 +5314,7 @@ onig_compile(regex_t* reg, const UChar* pattern, const UChar* pattern_end, #endif r = onig_parse_make_tree(&root, pattern, pattern_end, reg, &scan_env); - if (r != 0) goto err; + if (r != 0 || root == NULL) goto err; #ifdef USE_NAMED_GROUP /* mixed use named group and no-named group */ diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regerror.c b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regerror.c index 086a747629..c3ec3626eb 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regerror.c +++ b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regerror.c @@ -308,6 +308,10 @@ onig_error_code_to_str(s, code, va_alist) default: q = onig_error_code_to_format(code); + if (q == NULL) { + len = 0; + break; + } len = onigenc_str_bytelen_null(ONIG_ENCODING_ASCII, q); xmemcpy(s, q, len); s[len] = '\0'; diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regexec.c b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regexec.c index 160c995fa4..a175f3a6cc 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regexec.c +++ b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regexec.c @@ -243,7 +243,9 @@ onig_region_new(void) OnigRegion* r; r = (OnigRegion* )xmalloc(sizeof(OnigRegion)); - onig_region_init(r); + if (r != NULL) { + onig_region_init(r); + } return r; } @@ -284,6 +286,10 @@ onig_region_copy(OnigRegion* to, OnigRegion* from) to->allocated = from->num_regs; } + if (to->beg == NULL || to->end == NULL) { + return; + } + for (i = 0; i < from->num_regs; i++) { to->beg[i] = from->beg[i]; to->end[i] = from->end[i]; diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c index 4be2f229bc..b0fee98a16 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c +++ b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c @@ -380,6 +380,7 @@ onig_st_insert_strend(hash_table_type* table, const UChar* str_key, int result; key = (st_str_end_key* )xmalloc(sizeof(st_str_end_key)); + CHECK_NULL_RETURN_MEMERR(key); key->s = (UChar* )str_key; key->end = (UChar* )end_key; result = onig_st_insert(table, (st_data_t )(UINTN)key, value); @@ -732,6 +733,7 @@ name_add(regex_t* reg, UChar* name, UChar* name_end, int backref, ScanEnv* env) #ifdef USE_ST_LIBRARY if (IS_NULL(t)) { t = onig_st_init_strend_table_with_size(5); + CHECK_NULL_RETURN_MEMERR(t); reg->name_table = (void* )t; } e = (NameEntry* )xmalloc(sizeof(NameEntry)); @@ -964,6 +966,8 @@ scan_env_add_mem_entry(ScanEnv* env) if (IS_NULL(env->mem_nodes_dynamic)) { alloc = INIT_SCANENV_MEMNODES_ALLOC_SIZE; p = (Node** )xmalloc(sizeof(Node*) * alloc); + CHECK_NULL_RETURN_MEMERR(p); + xmemcpy(p, env->mem_nodes_static, sizeof(Node*) * SCANENV_MEMNODES_SIZE); } @@ -1522,6 +1526,7 @@ static Node* node_new_str_raw(UChar* s, UChar* end) { Node* node = node_new_str(s, end); + CHECK_NULL_RETURN(node); NSTRING_SET_RAW(node); return node; } @@ -1551,6 +1556,7 @@ str_node_split_last_char(StrNode* sn, OnigEncoding enc) p = onigenc_get_prev_char_head(enc, sn->s, sn->end); if (p && p > sn->s) { /* can be splitted. */ n = node_new_str(p, sn->end); + CHECK_NULL_RETURN(n); if ((sn->flag & NSTR_RAW) != 0) NSTRING_SET_RAW(n); sn->end = (UChar* )p; @@ -4785,6 +4791,9 @@ set_quantifier(Node* qnode, Node* target, int group, ScanEnv* env) QtfrNode* qnt = NQTFR(target); int nestq_num = popular_quantifier_num(qn); int targetq_num = popular_quantifier_num(qnt); + if (nestq_num < 0 || targetq_num < 0) { + return ONIGERR_TYPE_BUG; + } #ifdef USE_WARNING_REDUNDANT_NESTED_REPEAT_OPERATOR if (!IS_QUANTIFIER_BY_NUMBER(qn) && !IS_QUANTIFIER_BY_NUMBER(qnt) && @@ -5234,6 +5243,7 @@ parse_exp(Node** np, OnigToken* tok, int term, cc = NCCLASS(*np); NCCLASS_SET_SHARE(cc); new_key = (type_cclass_key* )xmalloc(sizeof(type_cclass_key)); + CHECK_NULL_RETURN_MEMERR(new_key); xmemcpy(new_key, &key, sizeof(type_cclass_key)); onig_st_add_direct(OnigTypeCClassTable, (st_data_t )(UINTN)new_key, (st_data_t )(UINTN)*np); @@ -5345,6 +5355,7 @@ parse_exp(Node** np, OnigToken* tok, int term, case TK_ANCHOR: *np = onig_node_new_anchor(tok->u.anchor); + CHECK_NULL_RETURN_MEMERR(*np); break; case TK_OP_REPEAT: @@ -5354,6 +5365,7 @@ parse_exp(Node** np, OnigToken* tok, int term, return ONIGERR_TARGET_OF_REPEAT_OPERATOR_NOT_SPECIFIED; else *np = node_new_empty(); + CHECK_NULL_RETURN_MEMERR(*np); } else { goto tk_byte; @@ -5442,9 +5454,11 @@ parse_branch(Node** top, OnigToken* tok, int term, } else { *top = node_new_list(node, NULL); + CHECK_NULL_RETURN_MEMERR(*top); headp = &(NCDR(*top)); while (r != TK_EOT && r != term && r != TK_ALT) { r = parse_exp(&node, tok, term, src, end, env); + CHECK_NULL_RETURN_MEMERR(node); if (r < 0) return r; if (NTYPE(node) == NT_LIST) { @@ -5482,6 +5496,7 @@ parse_subexp(Node** top, OnigToken* tok, int term, } else if (r == TK_ALT) { *top = onig_node_new_alt(node, NULL); + CHECK_NULL_RETURN_MEMERR(*top); headp = &(NCDR(*top)); while (r == TK_ALT) { r = fetch_token(tok, src, end, env); diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/st.c b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/st.c index 1527fcc439..8dcfdc3eb1 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/st.c +++ b/MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/st.c @@ -156,6 +156,7 @@ st_init_table_with_size(type, size) size = new_size(size); /* round up to prime number */ tbl = alloc(st_table); + CHECK_NULL_RETURN(tbl); tbl->type = type; tbl->num_entries = 0; tbl->num_bins = size; @@ -267,6 +268,9 @@ do {\ }\ \ entry = alloc(st_table_entry);\ + if (entry == NULL) {\ + break;\ + }\ \ entry->hash = hash_val;\ entry->key = key;\ @@ -321,6 +325,9 @@ rehash(table) new_num_bins = new_size(old_num_bins+1); new_bins = (st_table_entry**)Calloc(new_num_bins, sizeof(st_table_entry*)); + if (new_bins == NULL) { + return; + } for(i = 0; i < old_num_bins; i++) { ptr = table->bins[i]; diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.c b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.c index a3eebf7077..cffbcb834a 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.c +++ b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.c @@ -130,6 +130,10 @@ OnigurumaMatch ( // Start = (OnigUChar*)String; Region = onig_region_new (); + if (Region == NULL) { + onig_free (OnigRegex); + return EFI_OUT_OF_RESOURCES; + } OnigResult = onig_search ( OnigRegex, Start, -- cgit v1.2.3