This commit will resolve the issue brought by r17736. Str = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);
The above using of AllocateCopyPool() will read contents out of the scope of Str1. Potential risk for Str1 allocated at the boundary of memory region. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a...@intel.com> Reviewed-by: Qiu Shumin <shumin....@intel.com> Reviewed-by: Jeff Fan <jeff....@intel.com> --- IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c index 1519315..56bcfab 100644 --- a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c +++ b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c @@ -1096,12 +1096,13 @@ BOpt_AppendFileName ( Size1 = StrSize (Str1); Size2 = StrSize (Str2); MaxLen = (Size1 + Size2 + sizeof (CHAR16)) / sizeof (CHAR16); - Str = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1); + Str = AllocateZeroPool (MaxLen * sizeof (CHAR16)); ASSERT (Str != NULL); TmpStr = AllocateZeroPool (MaxLen * sizeof (CHAR16)); ASSERT (TmpStr != NULL); + StrCatS (Str, MaxLen, Str1); if (!((*Str == '\\') && (*(Str + 1) == 0))) { StrCatS (Str, MaxLen, L"\\"); } -- 1.9.5.msysgit.0 ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel