diff options
| author | Jian J Wang <jian.j.wang@intel.com> | 2017-12-28 10:22:39 +0800 |
|---|---|---|
| committer | Liming Gao <liming.gao@intel.com> | 2017-12-28 11:12:35 +0800 |
| commit | 941b3c4845146e7bc0203a9e78c4554e11c66863 (patch) | |
| tree | 52da1e52b8d125099ed46dc643e552e997f9c7c1 /MdeModulePkg | |
| parent | 6805854a736b0e0192fb4863da4db4295345c87b (diff) | |
| download | edk2-941b3c4845146e7bc0203a9e78c4554e11c66863.zip edk2-941b3c4845146e7bc0203a9e78c4554e11c66863.tar.gz edk2-941b3c4845146e7bc0203a9e78c4554e11c66863.tar.bz2 | |
MdeModulePkg/DxePrintLibPrint2Protocol: Fix error in Precision position calculation
Due to a potential hole in the stop condition of loop, the two continuous
access to ArgumentString (index, index+1) inside the loop might cause the
string ending character ('\0') and the byte after it to be read.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Diffstat (limited to 'MdeModulePkg')
| -rw-r--r-- | MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c index 56534e5..570d06d 100644 --- a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c +++ b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c @@ -2050,7 +2050,10 @@ InternalPrintLibSPrintMarker ( // Compute the number of characters in ArgumentString and store it in Count
// ArgumentString is either null-terminated, or it contains Precision characters
//
- for (Count = 0; Count < Precision || ((Flags & PRECISION) == 0); Count++) {
+ for (Count = 0;
+ ArgumentString[Count * BytesPerArgumentCharacter] != '\0' &&
+ Count < Precision || ((Flags & PRECISION) == 0);
+ Count++) {
ArgumentCharacter = ((ArgumentString[Count * BytesPerArgumentCharacter] & 0xff) | ((ArgumentString[Count * BytesPerArgumentCharacter + 1]) << 8)) & ArgumentMask;
if (ArgumentCharacter == 0) {
break;
@@ -2107,7 +2110,7 @@ InternalPrintLibSPrintMarker ( //
// Copy the string into the output buffer performing the required type conversions
//
- while (Index < Count) {
+ while (Index < Count && (*ArgumentString) != '\0') {
ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask;
LengthToReturn += (1 * BytesPerOutputCharacter);
|