In function BasePrintLibSPrintMarker(), when processing ASCII format strings, if the format string walker pointer 'Format' is pointing at the end of the format string (i.e. '\0'), the following expression: *(Format + 1) will read an undefined value.
Though this value won't affect the functionality, since it will be masked by variable 'FormatMask': (*(Format + 1) << 8)) & FormatMask (FormatMask is 0xff for ASCII format string) This commit adds additional logic to avoid reading undefined content. Cc: Jiewen Yao <[email protected]> Cc: Liming Gao <[email protected]> Cc: Michael Kinney <[email protected]> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <[email protected]> --- MdePkg/Library/BasePrintLib/PrintLibInternal.c | 48 ++++++++++++++++---- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Library/BasePrintLib/PrintLibInternal.c index 9b15a07ac0..d665b7b1d2 100644 --- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c +++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c @@ -653,7 +653,11 @@ BasePrintLibSPrintMarker ( // // Get the first character from the format string // - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + if (BytesPerFormatCharacter == 1) { + FormatCharacter = (*Format & 0xff) & FormatMask; + } else { + FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + } // // Loop until the end of the format string is reached or the output buffer is full @@ -685,7 +689,11 @@ BasePrintLibSPrintMarker ( // for (Done = FALSE; !Done; ) { Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + if (BytesPerFormatCharacter == 1) { + FormatCharacter = (*Format & 0xff) & FormatMask; + } else { + FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + } switch (FormatCharacter) { case '.': Flags |= PRECISION; @@ -738,7 +746,11 @@ BasePrintLibSPrintMarker ( for (Count = 0; ((FormatCharacter >= '0') && (FormatCharacter <= '9')); ){ Count = (Count * 10) + FormatCharacter - '0'; Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + if (BytesPerFormatCharacter == 1) { + FormatCharacter = (*Format & 0xff) & FormatMask; + } else { + FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + } } Format -= BytesPerFormatCharacter; if ((Flags & PRECISION) == 0) { @@ -1017,7 +1029,11 @@ BasePrintLibSPrintMarker ( case '\r': Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + if (BytesPerFormatCharacter == 1) { + FormatCharacter = (*Format & 0xff) & FormatMask; + } else { + FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + } if (FormatCharacter == '\n') { // // Translate '\r\n' to '\r\n' @@ -1038,7 +1054,11 @@ BasePrintLibSPrintMarker ( // ArgumentString = "\r\n"; Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + if (BytesPerFormatCharacter == 1) { + FormatCharacter = (*Format & 0xff) & FormatMask; + } else { + FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + } if (FormatCharacter != '\r') { Format -= BytesPerFormatCharacter; } @@ -1057,7 +1077,11 @@ BasePrintLibSPrintMarker ( case '\r': Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + if (BytesPerFormatCharacter == 1) { + FormatCharacter = (*Format & 0xff) & FormatMask; + } else { + FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + } if (FormatCharacter == '\n') { // // Translate '\r\n' to '\r\n' @@ -1078,7 +1102,11 @@ BasePrintLibSPrintMarker ( // ArgumentString = "\r\n"; Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + if (BytesPerFormatCharacter == 1) { + FormatCharacter = (*Format & 0xff) & FormatMask; + } else { + FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + } if (FormatCharacter != '\r') { Format -= BytesPerFormatCharacter; } @@ -1206,7 +1234,11 @@ BasePrintLibSPrintMarker ( // // Get the next character from the format string // - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + if (BytesPerFormatCharacter == 1) { + FormatCharacter = (*Format & 0xff) & FormatMask; + } else { + FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + } } if ((Flags & COUNT_ONLY_NO_PRINT) != 0) { -- 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
