diff options
| author | Hao Wu <hao.a.wu@intel.com> | 2018-10-30 09:17:04 +0800 |
|---|---|---|
| committer | Hao Wu <hao.a.wu@intel.com> | 2018-10-31 08:57:04 +0800 |
| commit | 27b9cb33e7437f6aef184c6b2982d004d279cc04 (patch) | |
| tree | 0190735399495bad095c9ddca71dbd247fab5d91 /EmulatorPkg/Include/Guid | |
| parent | bfb8c64cbf6a4604b1a69de8e274cce7f0a678dc (diff) | |
| download | edk2-27b9cb33e7437f6aef184c6b2982d004d279cc04.zip edk2-27b9cb33e7437f6aef184c6b2982d004d279cc04.tar.gz edk2-27b9cb33e7437f6aef184c6b2982d004d279cc04.tar.bz2 | |
MdeModulePkg/UdfDxe: Memory free/use after free in ResolveSymlink()
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1279
For function ResolveSymlink(), the below codes:
if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,
sizeof (UDF_FILE_INFO)) != 0) {
CleanupFileInformation (&PreviousFile);
}
CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));
If the contents in 'PreviousFile' and 'File' are the same, call to
"CleanupFileInformation (&PreviousFile);" will free the buffers in 'File'
as well. This will lead to potential memory double free/use after free
issues.
This commit will add additional check to address the above issue.
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Diffstat (limited to 'EmulatorPkg/Include/Guid')
0 files changed, 0 insertions, 0 deletions