From 84bce75b08202a0d8e64d690dffbc329ed89dcc6 Mon Sep 17 00:00:00 2001
From: sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>
Date: Thu, 6 Sep 2012 02:15:59 +0000
Subject: Check the value of Hdr.dwLength for signed EFI image before image
 validation.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting  <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13701 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c       | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'SecurityPkg')

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b3648bdee4..9ea3a28ad9 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1276,6 +1276,9 @@ DxeImageVerificationHandler (
     // Authenticode specification.
     //
     PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) WinCertificate;
+    if (PkcsCertData->Hdr.dwLength <= sizeof (PkcsCertData->Hdr)) {
+      goto Done;
+    }
     AuthData   = PkcsCertData->CertData;
     AuthDataSize = PkcsCertData->Hdr.dwLength - sizeof(PkcsCertData->Hdr);
     
@@ -1290,7 +1293,8 @@ DxeImageVerificationHandler (
     // The certificate is formatted as WIN_CERTIFICATE_UEFI_GUID which is described in UEFI Spec.
     //
     WinCertUefiGuid = (WIN_CERTIFICATE_UEFI_GUID *) WinCertificate;
-    if (!CompareGuid(&WinCertUefiGuid->CertType, &gEfiCertPkcs7Guid)) {
+    if (!CompareGuid(&WinCertUefiGuid->CertType, &gEfiCertPkcs7Guid) ||
+        (WinCertUefiGuid->Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData))) {
       goto Done;
     }
     AuthData = WinCertUefiGuid->CertData;
-- 
cgit v1.2.3