Re: [edk2] [patch] MdeModulePkg/Setup: Fix incorrect size used in AllocateCopyPool

Mon, 03 Sep 2018 17:55:15 -0700 

Reviewed-by: Eric Dong <eric.d...@intel.com>

-----Original Message-----
From: Bi, Dandan 
Sent: Tuesday, August 28, 2018 10:06 AM
To: edk2-devel@lists.01.org
Cc: Dong, Eric <eric.d...@intel.com>
Subject: [patch] MdeModulePkg/Setup: Fix incorrect size used in AllocateCopyPool

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1115

When the type of HiiValue is EFI_IFR_TYPE_BUFFER, its question type is 
EFI_IFR_ORDERED_LIST_OP.
And the buffer size allocated for Statement->BufferValue of orderedList is 
"Statement->StorageWidth"
in IfrParse.c.

So here when backup the buffer value and copy the size of 
"Statement->StorageWidth + sizeof(CHAR16)" is incorrect.

This patch is to fix this issue.

Cc: Eric Dong <eric.d...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan...@intel.com>
---
 MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c 
b/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c
index ded1c7ad11..58daaab404 100644
--- a/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c
@@ -2002,11 +2002,11 @@ ProcessCallBackFunction (
     //
     // If EFI_BROWSER_ACTION_CHANGING type, back up the new question value.
     //
     if (Action == EFI_BROWSER_ACTION_CHANGING) {
       if (HiiValue->Type == EFI_IFR_TYPE_BUFFER) {
-        BackUpBuffer = AllocateCopyPool(Statement->StorageWidth + 
sizeof(CHAR16), Statement->BufferValue);
+        BackUpBuffer = AllocateCopyPool(Statement->StorageWidth, 
+ Statement->BufferValue);
         ASSERT (BackUpBuffer != NULL);
       } else {
         CopyMem (&BackUpValue, &HiiValue->Value, sizeof (EFI_IFR_TYPE_VALUE));
       }
     }
@@ -2128,11 +2128,11 @@ ProcessCallBackFunction (
       // then the browser will use the value passed to Callback() and ignore 
the
       // value returned by Callback().
       //
       if (Action  == EFI_BROWSER_ACTION_CHANGING && Status == EFI_UNSUPPORTED) 
{
         if (HiiValue->Type == EFI_IFR_TYPE_BUFFER) {
-          CopyMem (Statement->BufferValue, BackUpBuffer, 
Statement->StorageWidth + sizeof(CHAR16));
+          CopyMem (Statement->BufferValue, BackUpBuffer, 
+ Statement->StorageWidth);
         } else {
           CopyMem (&HiiValue->Value, &BackUpValue, sizeof 
(EFI_IFR_TYPE_VALUE));
         }
 
         //
--
2.14.3.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to