diff options
| author | Jian J Wang <jian.j.wang@intel.com> | 2017-11-01 23:18:34 +0800 |
|---|---|---|
| committer | Star Zeng <star.zeng@intel.com> | 2017-11-08 17:13:03 +0800 |
| commit | 469293f8ee406f2b0bad2cf3bbbc510b2a1364eb (patch) | |
| tree | fb99a6f8e8f0dd2b6a9f9c6108cd51fb7e3fe952 /MdeModulePkg | |
| parent | cc05c72ef84e03d43a0244b8639e8c08336af066 (diff) | |
| download | edk2-469293f8ee406f2b0bad2cf3bbbc510b2a1364eb.zip edk2-469293f8ee406f2b0bad2cf3bbbc510b2a1364eb.tar.gz edk2-469293f8ee406f2b0bad2cf3bbbc510b2a1364eb.tar.bz2 | |
MdeModulePkg: Fix misuses of AllocateCopyPool
AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" bytes of
memory from old "Buffer" to new allocated one. If "AllocationSize" is bigger
than size of "Buffer", heap memory overflow occurs during copy.
One solution is to allocate pool first then copy the necessary bytes to new
memory. Another is using ReallocatePool instead if old buffer will be freed
on spot.
Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>
Diffstat (limited to 'MdeModulePkg')
6 files changed, 33 insertions, 17 deletions
diff --git a/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c b/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c index 1505ef9..17fc3db 100644 --- a/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c +++ b/MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c @@ -639,9 +639,13 @@ UiListThirdPartyDrivers ( Count++;
if (Count >= CurrentSize) {
- DriverListPtr = AllocateCopyPool ((Count + UI_HII_DRIVER_LIST_SIZE) * sizeof (UI_HII_DRIVER_INSTANCE), gHiiDriverList);
+ DriverListPtr = ReallocatePool (
+ CurrentSize * sizeof (UI_HII_DRIVER_INSTANCE),
+ (Count + UI_HII_DRIVER_LIST_SIZE)
+ * sizeof (UI_HII_DRIVER_INSTANCE),
+ gHiiDriverList
+ );
ASSERT (DriverListPtr != NULL);
- FreePool (gHiiDriverList);
gHiiDriverList = DriverListPtr;
CurrentSize += UI_HII_DRIVER_LIST_SIZE;
}
diff --git a/MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanceManagerCustomizedUiSupport.c b/MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanceManagerCustomizedUiSupport.c index b25bc67..6dd4fce 100644 --- a/MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanceManagerCustomizedUiSupport.c +++ b/MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanceManagerCustomizedUiSupport.c @@ -435,9 +435,13 @@ BmmListThirdPartyDrivers ( Count++;
if (Count >= CurrentSize) {
- DriverListPtr = AllocateCopyPool ((Count + UI_HII_DRIVER_LIST_SIZE) * sizeof (UI_HII_DRIVER_INSTANCE), gHiiDriverList);
+ DriverListPtr = ReallocatePool (
+ CurrentSize * sizeof (UI_HII_DRIVER_INSTANCE),
+ (Count + UI_HII_DRIVER_LIST_SIZE)
+ * sizeof (UI_HII_DRIVER_INSTANCE),
+ gHiiDriverList
+ );
ASSERT (DriverListPtr != NULL);
- FreePool (gHiiDriverList);
gHiiDriverList = DriverListPtr;
CurrentSize += UI_HII_DRIVER_LIST_SIZE;
}
diff --git a/MdeModulePkg/Library/DeviceManagerUiLib/DeviceManager.c b/MdeModulePkg/Library/DeviceManagerUiLib/DeviceManager.c index 23ae6c5..ac8a975 100644 --- a/MdeModulePkg/Library/DeviceManagerUiLib/DeviceManager.c +++ b/MdeModulePkg/Library/DeviceManagerUiLib/DeviceManager.c @@ -240,7 +240,11 @@ AddIdToMacDeviceList ( } else {
mMacDeviceList.MaxListLen += MAX_MAC_ADDRESS_NODE_LIST_LEN;
if (mMacDeviceList.CurListLen != 0) {
- TempDeviceList = (MENU_INFO_ITEM *)AllocateCopyPool (sizeof (MENU_INFO_ITEM) * mMacDeviceList.MaxListLen, (VOID *)mMacDeviceList.NodeList);
+ TempDeviceList = ReallocatePool (
+ sizeof (MENU_INFO_ITEM) * mMacDeviceList.CurListLen,
+ sizeof (MENU_INFO_ITEM) * mMacDeviceList.MaxListLen,
+ mMacDeviceList.NodeList
+ );
} else {
TempDeviceList = (MENU_INFO_ITEM *)AllocatePool (sizeof (MENU_INFO_ITEM) * mMacDeviceList.MaxListLen);
}
@@ -251,10 +255,6 @@ AddIdToMacDeviceList ( TempDeviceList[mMacDeviceList.CurListLen].PromptId = PromptId;
TempDeviceList[mMacDeviceList.CurListLen].QuestionId = (EFI_QUESTION_ID) (mMacDeviceList.CurListLen + NETWORK_DEVICE_LIST_KEY_OFFSET);
- if (mMacDeviceList.CurListLen > 0) {
- FreePool(mMacDeviceList.NodeList);
- }
-
mMacDeviceList.NodeList = TempDeviceList;
}
mMacDeviceList.CurListLen ++;
diff --git a/MdeModulePkg/Library/UefiHiiLib/HiiLib.c b/MdeModulePkg/Library/UefiHiiLib/HiiLib.c index ce894c0..f9b8c3d 100644 --- a/MdeModulePkg/Library/UefiHiiLib/HiiLib.c +++ b/MdeModulePkg/Library/UefiHiiLib/HiiLib.c @@ -464,20 +464,24 @@ HiiGetFormSetFromHiiHandle( }
if (FormSetBuffer != NULL){
- TempBuffer = AllocateCopyPool (TempSize + ((EFI_IFR_OP_HEADER *) OpCodeData)->Length, FormSetBuffer);
- FreePool(FormSetBuffer);
- FormSetBuffer = NULL;
+ TempBuffer = ReallocatePool (
+ TempSize,
+ TempSize + ((EFI_IFR_OP_HEADER *) OpCodeData)->Length,
+ FormSetBuffer
+ );
if (TempBuffer == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Done;
}
CopyMem (TempBuffer + TempSize, OpCodeData, ((EFI_IFR_OP_HEADER *) OpCodeData)->Length);
+ FormSetBuffer = NULL;
} else {
- TempBuffer = AllocateCopyPool (TempSize + ((EFI_IFR_OP_HEADER *) OpCodeData)->Length, OpCodeData);
+ TempBuffer = AllocatePool (TempSize + ((EFI_IFR_OP_HEADER *) OpCodeData)->Length);
if (TempBuffer == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Done;
}
+ CopyMem (TempBuffer, OpCodeData, ((EFI_IFR_OP_HEADER *) OpCodeData)->Length);
}
TempSize += ((EFI_IFR_OP_HEADER *) OpCodeData)->Length;
FormSetBuffer = TempBuffer;
diff --git a/MdeModulePkg/Universal/FvSimpleFileSystemDxe/FvSimpleFileSystem.c b/MdeModulePkg/Universal/FvSimpleFileSystemDxe/FvSimpleFileSystem.c index b81110f..e39036a 100644 --- a/MdeModulePkg/Universal/FvSimpleFileSystemDxe/FvSimpleFileSystem.c +++ b/MdeModulePkg/Universal/FvSimpleFileSystemDxe/FvSimpleFileSystem.c @@ -562,7 +562,8 @@ FvSimpleFileSystemOpen ( // No, there was no extension. So add one and search again for the file
// NewFileNameLength = FileNameLength + 1 + 4 = (Number of non-null character) + (file extension) + (a null character)
NewFileNameLength = FileNameLength + 1 + 4;
- FileNameWithExtension = AllocateCopyPool (NewFileNameLength * 2, FileName);
+ FileNameWithExtension = AllocatePool (NewFileNameLength * 2);
+ StrCpyS (FileNameWithExtension, NewFileNameLength, FileName);
StrCatS (FileNameWithExtension, NewFileNameLength, L".EFI");
for (FvFileInfoLink = GetFirstNode (&Instance->FileInfoHead);
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c index 1b48c1c..5d5f17f 100644 --- a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c @@ -2543,12 +2543,15 @@ MergeToMultiKeywordResp ( MultiKeywordRespLen = (StrLen (*MultiKeywordResp) + 1 + StrLen (*KeywordResp) + 1) * sizeof (CHAR16);
- StringPtr = AllocateCopyPool (MultiKeywordRespLen, *MultiKeywordResp);
+ StringPtr = ReallocatePool (
+ StrSize (*MultiKeywordResp),
+ MultiKeywordRespLen,
+ *MultiKeywordResp
+ );
if (StringPtr == NULL) {
return EFI_OUT_OF_RESOURCES;
}
-
- FreePool (*MultiKeywordResp);
+
*MultiKeywordResp = StringPtr;
StrCatS (StringPtr, MultiKeywordRespLen / sizeof (CHAR16), L"&");
|