Fix buffer overflow issue in Consplitter.

Signed-off-by: Li Elvin <elvin.li@intel.com>
Reviewed-by: Ni Ruiyu <ruiyu.ni@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13857 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 16 insertions, 2 deletions

diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
index 2508273..bcb9fd6 100644
--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
@@ -2109,6 +2109,8 @@ ConSplitterGrowMapTable (
   INT32 *OldTextOutModeMap;

   INT32 *SrcAddress;

   INT32 Index;

+  UINTN OldStepSize;

+  UINTN NewStepSize;

 

   NewSize           = Private->TextOutListCount * sizeof (INT32);

   OldTextOutModeMap = Private->TextOutModeMap;

@@ -2146,14 +2148,26 @@ ConSplitterGrowMapTable (
     Size        = Private->CurrentNumberOfConsoles * sizeof (INT32);

     Index       = 0;

     SrcAddress  = OldTextOutModeMap;

+    NewStepSize = NewSize / sizeof(INT32);    

+    // If Private->CurrentNumberOfConsoles is not zero and OldTextOutModeMap

+    // is not NULL, it indicates that the original TextOutModeMap is not enough

+    // for the new console devices and has been enlarged by CONSOLE_SPLITTER_ALLOC_UNIT columns.

+    //

+    OldStepSize = NewStepSize - CONSOLE_SPLITTER_ALLOC_UNIT;

 

     //

     // Copy the old data to the new one

     //

     while (Index < Private->TextOutMode.MaxMode) {

       CopyMem (TextOutModeMap, SrcAddress, Size);

-      TextOutModeMap += NewSize;

-      SrcAddress += Size;

+      //

+      // Go to next row of new TextOutModeMap.

+      //

+      TextOutModeMap += NewStepSize;

+      //

+      // Go to next row of old TextOutModeMap.

+      //

+      SrcAddress += OldStepSize;

       Index++;

     }

     //