From 28186d45660c92b8d98b8b19b5f8e6ff71ea5fba Mon Sep 17 00:00:00 2001
From: ydong10 <ydong10@6f19259b-4bc3-4df7-8a09-765794883524>
Date: Tue, 24 Apr 2012 03:00:32 +0000
Subject: Validate some fields in PE image to make sure not access violation
 for later code.

Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13211 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c    | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)

(limited to 'SecurityPkg/Library/DxeTpmMeasureBootLib')

diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index d3c7bfec62..f0039c8048 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -36,6 +36,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 BOOLEAN                           mMeasureGptTableFlag = FALSE;
 EFI_GUID                          mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}};
 UINTN                             mMeasureGptCount = 0;
+VOID                              *mFileBuffer;
+UINTN                             mImageSize;
 
 /**
   Reads contents of a PE/COFF image in memory buffer.
@@ -57,7 +59,27 @@ ImageRead (
   OUT    VOID    *Buffer
   )
 {
+  UINTN               EndPosition;
+
+  if (FileHandle == NULL || ReadSize == NULL || Buffer == NULL) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  if (MAX_ADDRESS - FileOffset < *ReadSize) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  EndPosition = FileOffset + *ReadSize;
+  if (EndPosition > mImageSize) {
+    *ReadSize = (UINT32)(mImageSize - FileOffset);
+  }
+
+  if (FileOffset >= mImageSize) {
+    *ReadSize = 0;
+  }
+
   CopyMem (Buffer, (UINT8 *)((UINTN) FileHandle + FileOffset), *ReadSize);
+
   return EFI_SUCCESS;
 }
 
@@ -495,6 +517,10 @@ TcgMeasurePeImage (
   if (ImageSize > SumOfBytesHashed) {
     HashBase = (UINT8 *) (UINTN) ImageAddress + SumOfBytesHashed;
     if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
+      if (ImageSize - SumOfBytesHashed < Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size) {
+        Status = EFI_INVALID_PARAMETER;
+        goto Finish;
+      }
       //
       // Use PE32 offset
       //
@@ -502,6 +528,10 @@ TcgMeasurePeImage (
                  Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size -
                  SumOfBytesHashed);
     } else {
+      if (ImageSize - SumOfBytesHashed < Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size) {
+        Status = EFI_INVALID_PARAMETER;
+        goto Finish;
+      }
       //
       // Use PE32+ offset
       //
@@ -735,6 +765,9 @@ DxeTpmMeasureBootHandler (
     goto Finish;
   }
 
+  mImageSize  = FileSize;
+  mFileBuffer = FileBuffer;
+
   //
   // Measure PE Image
   //
-- 
cgit v1.2.3