REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1255
For function ReadFile(): If the line Status = GetAedAdsData ( ... ); is reached multiple times during the 'for' loop, freeing the data pointed by variable 'Data' may potentially lead to variable 'Ad' referencing the already-freed data. After calling function GetAllocationDescriptor(), 'Data' and 'Ad' may point to the same memory (with some possible offset). Hence, this commit will move the FreePool() call backwards to ensure the data will no longer be used. Cc: Paulo Alcantara <[email protected]> Cc: Ruiyu Ni <[email protected]> Cc: Star Zeng <[email protected]> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <[email protected]> --- MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index 7526de79b2..bf73ab4252 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -1044,6 +1044,7 @@ ReadFile ( EFI_STATUS Status; UINT32 LogicalBlockSize; VOID *Data; + VOID *DataBak; UINT64 Length; VOID *Ad; UINT64 AdOffset; @@ -1184,12 +1185,7 @@ ReadFile ( // Descriptor and its extents (ADs). // if (GET_EXTENT_FLAGS (RecordingFlags, Ad) == ExtentIsNextExtent) { - if (!DoFreeAed) { - DoFreeAed = TRUE; - } else { - FreePool (Data); - } - + DataBak = Data; Status = GetAedAdsData ( BlockIo, DiskIo, @@ -1200,6 +1196,13 @@ ReadFile ( &Data, &Length ); + + if (!DoFreeAed) { + DoFreeAed = TRUE; + } else { + FreePool (DataBak); + } + if (EFI_ERROR (Status)) { goto Error_Get_Aed; } -- 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
