This commit will resolve the issue brought by r17736.

Str   = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);

The above using of AllocateCopyPool() will read contents out of the scope
of Str1. Potential risk for Str1 allocated at the boundary of memory
region.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a...@intel.com>
Reviewed-by: Qiu Shumin <shumin....@intel.com>
Reviewed-by: Jeff Fan <jeff....@intel.com>
---
 IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c 
b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
index 1519315..56bcfab 100644
--- a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
+++ b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
@@ -1096,12 +1096,13 @@ BOpt_AppendFileName (
   Size1 = StrSize (Str1);
   Size2 = StrSize (Str2);
   MaxLen = (Size1 + Size2 + sizeof (CHAR16)) / sizeof (CHAR16);
-  Str   = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);
+  Str   = AllocateZeroPool (MaxLen * sizeof (CHAR16));
   ASSERT (Str != NULL);
 
   TmpStr = AllocateZeroPool (MaxLen * sizeof (CHAR16)); 
   ASSERT (TmpStr != NULL);
 
+  StrCatS (Str, MaxLen, Str1);
   if (!((*Str == '\\') && (*(Str + 1) == 0))) {
     StrCatS (Str, MaxLen, L"\\");
   }
-- 
1.9.5.msysgit.0


------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Reply via email to