|
 |
3c2ede |
From 44941e738b975e52a6494cfd9f71db5ad3f411b8 Mon Sep 17 00:00:00 2001
|
|
|
3c2ede |
From: Laszlo Ersek <lersek@redhat.com>
|
|
|
3c2ede |
Date: Fri, 22 Mar 2019 17:39:36 +0100
|
|
|
3c2ede |
Subject: [PATCH 2/8] MdeModulePkg/HiiImage: Fix stack overflow when corrupted
|
|
|
3c2ede |
BMP is parsed (CVE-2018-12181)
|
|
|
3c2ede |
MIME-Version: 1.0
|
|
|
3c2ede |
Content-Type: text/plain; charset=UTF-8
|
|
|
3c2ede |
Content-Transfer-Encoding: 8bit
|
|
|
3c2ede |
|
|
|
3c2ede |
Message-id: <20190322163936.10835-3-lersek@redhat.com>
|
|
|
3c2ede |
Patchwork-id: 85123
|
|
|
3c2ede |
O-Subject: [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/HiiImage: Fix stack overflow
|
|
|
3c2ede |
when corrupted BMP is parsed (CVE-2018-12181)
|
|
|
3c2ede |
Bugzilla: 1691479
|
|
|
3c2ede |
Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
3c2ede |
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
|
3c2ede |
|
|
|
3c2ede |
From: Ray Ni <ray.ni@intel.com>
|
|
|
3c2ede |
|
|
|
3c2ede |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
|
|
|
3c2ede |
|
|
|
3c2ede |
For 4bit BMP, there are only 2^4 = 16 colors in the palette.
|
|
|
3c2ede |
But when a corrupted BMP contains more than 16 colors in the palette,
|
|
|
3c2ede |
today's implementation wrongly copies all colors to the local
|
|
|
3c2ede |
PaletteValue[16] array which causes stack overflow.
|
|
|
3c2ede |
|
|
|
3c2ede |
The similar issue also exists in the logic to handle 8bit BMP.
|
|
|
3c2ede |
|
|
|
3c2ede |
The patch fixes the issue by only copies the first 16 or 256 colors
|
|
|
3c2ede |
in the palette depending on the BMP type.
|
|
|
3c2ede |
|
|
|
3c2ede |
Contributed-under: TianoCore Contribution Agreement 1.1
|
|
|
3c2ede |
Signed-off-by: Ray Ni <ray.ni@intel.com>
|
|
|
3c2ede |
Cc: Liming Gao <liming.gao@intel.com>
|
|
|
3c2ede |
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
|
|
3c2ede |
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
|
|
3c2ede |
(cherry picked from commit 89910a39dcfd788057caa5d88b7e76e112d187b5)
|
|
|
3c2ede |
---
|
|
|
3c2ede |
MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 4 ++--
|
|
|
3c2ede |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
3c2ede |
|
|
|
3c2ede |
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
|
|
|
3c2ede |
index dc9566b..9829bdd 100644
|
|
|
3c2ede |
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
|
|
|
3c2ede |
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
|
|
|
3c2ede |
@@ -370,7 +370,7 @@ Output4bitPixel (
|
|
|
3c2ede |
PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
|
|
|
3c2ede |
|
|
|
3c2ede |
ZeroMem (PaletteValue, sizeof (PaletteValue));
|
|
|
3c2ede |
- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
|
|
|
3c2ede |
+ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue)));
|
|
|
3c2ede |
FreePool (Palette);
|
|
|
3c2ede |
|
|
|
3c2ede |
//
|
|
|
3c2ede |
@@ -447,7 +447,7 @@ Output8bitPixel (
|
|
|
3c2ede |
CopyMem (Palette, PaletteInfo, PaletteSize);
|
|
|
3c2ede |
PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
|
|
|
3c2ede |
ZeroMem (PaletteValue, sizeof (PaletteValue));
|
|
|
3c2ede |
- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
|
|
|
3c2ede |
+ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue)));
|
|
|
3c2ede |
FreePool (Palette);
|
|
|
3c2ede |
|
|
|
3c2ede |
//
|
|
|
3c2ede |
--
|
|
|
3c2ede |
1.8.3.1
|
|
|
3c2ede |
|