diff options
author | vanjeff <vanjeff@6f19259b-4bc3-4df7-8a09-765794883524> | 2009-07-27 02:23:19 +0000 |
---|---|---|
committer | vanjeff <vanjeff@6f19259b-4bc3-4df7-8a09-765794883524> | 2009-07-27 02:23:19 +0000 |
commit | 99f675941128d3e7288e953db47b21f757774b63 (patch) | |
tree | 1155302ab04f4e6c7ed0e40a2ba1b391e25eb312 | |
parent | 0adb8a3c47efacd2e8d36726a7ab88ea33fd003c (diff) | |
download | edk2-99f675941128d3e7288e953db47b21f757774b63.zip edk2-99f675941128d3e7288e953db47b21f757774b63.tar.gz edk2-99f675941128d3e7288e953db47b21f757774b63.tar.bz2 |
Enhanced BMP file security check.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9010 6f19259b-4bc3-4df7-8a09-765794883524
-rw-r--r-- | EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c | 20 | ||||
-rw-r--r-- | EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c | 20 |
2 files changed, 28 insertions, 12 deletions
diff --git a/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c b/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c index 61929d5..0844a6f 100644 --- a/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c +++ b/EdkCompatibilityPkg/Foundation/Library/Dxe/Graphics/Graphics.c @@ -1,6 +1,6 @@ /*++
-Copyright (c) 2004 - 2007, Intel Corporation
+Copyright (c) 2004 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -157,7 +157,7 @@ Returns: BMP_COLOR_MAP *BmpColorMap;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
- UINTN BltBufferSize;
+ UINT64 BltBufferSize;
UINTN Index;
UINTN Height;
UINTN Width;
@@ -185,18 +185,26 @@ Returns: Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
ImageHeader = Image;
- BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+ BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);
+ //
+ // Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
+ //
+ if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) {
+ return EFI_UNSUPPORTED;
+ }
+ BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
+
IsAllocated = FALSE;
if (*GopBlt == NULL) {
- *GopBltSize = BltBufferSize;
+ *GopBltSize = (UINTN) BltBufferSize;
*GopBlt = EfiLibAllocatePool (*GopBltSize);
IsAllocated = TRUE;
if (*GopBlt == NULL) {
return EFI_OUT_OF_RESOURCES;
}
} else {
- if (*GopBltSize < BltBufferSize) {
- *GopBltSize = BltBufferSize;
+ if (*GopBltSize < (UINTN) BltBufferSize) {
+ *GopBltSize = (UINTN) BltBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
}
diff --git a/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c b/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c index 0f0c6f2..739c735 100644 --- a/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c +++ b/EdkCompatibilityPkg/Foundation/Library/Dxe/GraphicsLite/Graphics.c @@ -1,6 +1,6 @@ /*++
-Copyright (c) 2004 - 2006, Intel Corporation
+Copyright (c) 2004 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -158,7 +158,7 @@ Returns: BMP_COLOR_MAP *BmpColorMap;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
- UINTN BltBufferSize;
+ UINT64 BltBufferSize;
UINTN Index;
UINTN Height;
UINTN Width;
@@ -186,18 +186,26 @@ Returns: Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
ImageHeader = Image;
- BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+ BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);
+ //
+ // Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
+ //
+ if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) {
+ return EFI_UNSUPPORTED;
+ }
+ BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
+
IsAllocated = FALSE;
if (*GopBlt == NULL) {
- *GopBltSize = BltBufferSize;
+ *GopBltSize = (UINTN) BltBufferSize;
*GopBlt = EfiLibAllocatePool (*GopBltSize);
IsAllocated = TRUE;
if (*GopBlt == NULL) {
return EFI_OUT_OF_RESOURCES;
}
} else {
- if (*GopBltSize < BltBufferSize) {
- *GopBltSize = BltBufferSize;
+ if (*GopBltSize < (UINTN) BltBufferSize) {
+ *GopBltSize = (UINTN) BltBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
}
|