MdeModulePkg/UdfDxe: Avoid possible use of already-freed data

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1255 For function ReadFile(): If the line Status = GetAedAdsData ( ... ); is reached multiple times during the 'for' loop, freeing the data pointed by variable 'Data' may potentially lead to variable 'Ad' referencing the already-freed data. After calling function GetAllocationDescriptor(), 'Data' and 'Ad' may point to the same memory (with some possible offset). Hence, this commit will move the FreePool() call backwards to ensure the data will no longer be used. Cc: Ruiyu Ni <ruiyu.ni@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Paulo Alcantara <palcantara@suse.de> Acked-by: Star Zeng <star.zeng@intel.com>
author: Hao Wu <hao.a.wu@intel.com> 2018-10-16 13:09:43 +0800
committer: Hao Wu <hao.a.wu@intel.com> 2018-10-23 14:25:04 +0800
commit: 68099b52b0fcc1d45864154954d776d91afb33e0 (patch)
tree: eec1460c85596dd6d3a10495dfc151f470a4e8a8 /MdeModulePkg/Universal/Disk
parent: 85acb5e8ffef026b80241b1657ed4fba26e382b1 (diff)
download: edk2-68099b52b0fcc1d45864154954d776d91afb33e0.zip
edk2-68099b52b0fcc1d45864154954d776d91afb33e0.tar.gz
edk2-68099b52b0fcc1d45864154954d776d91afb33e0.tar.bz2
1 files changed, 9 insertions, 6 deletions
diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
index cabb599..b9ebddf 100644
--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
@@ -1078,6 +1078,7 @@ ReadFile (
   EFI_STATUS              Status;
   UINT32                  LogicalBlockSize;
   VOID                    *Data;
+  VOID                    *DataBak;
   UINT64                  Length;
   VOID                    *Ad;
   UINT64                  AdOffset;
@@ -1218,12 +1219,7 @@ ReadFile (
       // Descriptor and its extents (ADs).
       //
       if (GET_EXTENT_FLAGS (RecordingFlags, Ad) == ExtentIsNextExtent) {
-        if (!DoFreeAed) {
-          DoFreeAed = TRUE;
-        } else {
-          FreePool (Data);
-        }
-
+        DataBak = Data;
         Status = GetAedAdsData (
           BlockIo,
           DiskIo,
@@ -1234,6 +1230,13 @@ ReadFile (
           &Data,
           &Length
           );
+
+        if (!DoFreeAed) {
+          DoFreeAed = TRUE;
+        } else {
+          FreePool (DataBak);
+        }
+
         if (EFI_ERROR (Status)) {
           goto Error_Get_Aed;
         }
author	Hao Wu <hao.a.wu@intel.com>	2018-10-16 13:09:43 +0800
committer	Hao Wu <hao.a.wu@intel.com>	2018-10-23 14:25:04 +0800
commit	68099b52b0fcc1d45864154954d776d91afb33e0 (patch)
tree	eec1460c85596dd6d3a10495dfc151f470a4e8a8 /MdeModulePkg/Universal/Disk
parent	85acb5e8ffef026b80241b1657ed4fba26e382b1 (diff)
download	edk2-68099b52b0fcc1d45864154954d776d91afb33e0.zip edk2-68099b52b0fcc1d45864154954d776d91afb33e0.tar.gz edk2-68099b52b0fcc1d45864154954d776d91afb33e0.tar.bz2