diff --git a/.gitignore b/.gitignore
index 84b2a04..77a9651 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
+SOURCES/openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz
 SOURCES/ovmf-ee3198e672e2.tar.xz
diff --git a/.ovmf.metadata b/.ovmf.metadata
index 1c31019..0b066a8 100644
--- a/.ovmf.metadata
+++ b/.ovmf.metadata
@@ -1,2 +1,2 @@
-885bc596d198c8b1909f2199758e0eec6abe1904 SOURCES/openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
+e3df430bd2ac86a819720e5a548b56b0ef144a6f SOURCES/openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz
 ef7bc42e3e6decf2619709fd776481a30f4b4e53 SOURCES/ovmf-ee3198e672e2.tar.xz
diff --git a/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch b/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
new file mode 100644
index 0000000..1c4145c
--- /dev/null
+++ b/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
@@ -0,0 +1,270 @@
+From 87af8da054900fd05701c6d60a496b83fb8dbb63 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:47 +0100
+Subject: [PATCH 04/13] BaseTools: Add more checker in Decompress algorithm to
+ access the valid buffer (CVE FIX)
+
+Message-id: <20190213085050.20766-5-philmd@redhat.com>
+Patchwork-id: 84481
+O-Subject:  [RHEL-7.7 ovmf PATCH v3 4/7] BaseTools: Add more checker in
+	Decompress algorithm to access the valid buffer (CVE FIX)
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL7 note start --v--
+
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5731
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5732 (contrarily to the upstream commit message). The
+best I could achieve up-stream was to get the "CVE FIX" expression into
+the subject, and a whole-sale dump of the CVEs into the body. I had not
+been invited to the original (off-list, embargoed) analysis and review.
+
+The differences that "git-backport-diff" reports as "functional" for this
+backport aren't actually functional differences. They are due to
+downstream lacking two upstream commits:
+
+- f7496d717357 ("BaseTools: Clean up source files", 2018-07-09), with the
+  "usual" diffstat "289 files changed, 10645 insertions(+), 10645
+  deletions(-)";
+
+- more importantly, 472eb3b89682 ("BaseTools: Add --uefi option to enable
+  UefiCompress method", 2018-10-13).
+
+(Side note: in upstream, commit 472eb3b89682 was incorrectly reverted as
+part of 1ccc4d895dd8 ("Revert BaseTools: PYTHON3 migration", 2018-10-15),
+but then it was re-applied in f1400101a732.)
+
+In commit 472eb3b89682, the "UEFI" compression/decompression method was
+added to BaseTools, beyond the original "Tiano" method. This caused the
+Tiano method to be indented more deeply, in the main() function of
+"TianoCompress.c". (Also the original Decompress() function was renamed to
+TDecompress().) The CVE fix applies to the "Tiano" method, which RHEL8
+does have, but at a different nesting level. Therefore the changes have
+been backported manually, and the difference in indentation is also why
+"git-backport-diff" thinks the changes are functional.
+
+This backport, once applied, can be diffed against the upstream tree more
+easily as follows:
+
+  git diff -b HEAD..041d89bc0f01 -- \
+    BaseTools/Source/C/Common/Decompress.c \
+    BaseTools/Source/C/TianoCompress/TianoCompress.c
+
+--^-- RHEL7 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 041d89bc0f0119df37a5fce1d0f16495ff905089)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 29c394f110b1f769e629e8775874261e33d4abd9)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ BaseTools/Source/C/Common/Decompress.c           | 23 +++++++++++++++++++--
+ BaseTools/Source/C/TianoCompress/TianoCompress.c | 26 +++++++++++++++++++++++-
+ 2 files changed, 46 insertions(+), 3 deletions(-)
+
+diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c
+index 8f1afb4..bdc10f5 100644
+--- a/BaseTools/Source/C/Common/Decompress.c
++++ b/BaseTools/Source/C/Common/Decompress.c
+@@ -194,12 +194,16 @@ Returns:
+   UINT16  Avail;
+   UINT16  NextCode;
+   UINT16  Mask;
++  UINT16  MaxTableLength;
+ 
+   for (Index = 1; Index <= 16; Index++) {
+     Count[Index] = 0;
+   }
+ 
+   for (Index = 0; Index < NumOfChar; Index++) {
++    if (BitLen[Index] > 16) {
++      return (UINT16) BAD_TABLE;
++    }
+     Count[BitLen[Index]]++;
+   }
+ 
+@@ -237,6 +241,7 @@ Returns:
+ 
+   Avail = NumOfChar;
+   Mask  = (UINT16) (1U << (15 - TableBits));
++  MaxTableLength = (UINT16) (1U << TableBits);
+ 
+   for (Char = 0; Char < NumOfChar; Char++) {
+ 
+@@ -250,6 +255,9 @@ Returns:
+     if (Len <= TableBits) {
+ 
+       for (Index = Start[Len]; Index < NextCode; Index++) {
++        if (Index >= MaxTableLength) {
++          return (UINT16) BAD_TABLE;
++        }
+         Table[Index] = Char;
+       }
+ 
+@@ -643,10 +651,14 @@ Returns: (VOID)
+ 
+       BytesRemain--;
+       while ((INT16) (BytesRemain) >= 0) {
+-        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+         if (Sd->mOutBuf >= Sd->mOrigSize) {
+           return ;
+         }
++        if (DataIdx >= Sd->mOrigSize) {
++          Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++          return ;
++        }
++        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ 
+         BytesRemain--;
+       }
+@@ -684,6 +696,7 @@ Returns:
+ --*/
+ {
+   UINT8 *Src;
++  UINT32 CompSize;
+ 
+   *ScratchSize  = sizeof (SCRATCH_DATA);
+ 
+@@ -692,7 +705,13 @@ Returns:
+     return EFI_INVALID_PARAMETER;
+   }
+ 
++  CompSize = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24);
+   *DstSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
++
++  if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) {
++    return EFI_INVALID_PARAMETER;
++  }
++
+   return EFI_SUCCESS;
+ }
+ 
+@@ -752,7 +771,7 @@ Returns:
+   CompSize  = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24);
+   OrigSize  = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
+ 
+-  if (SrcSize < CompSize + 8) {
++  if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) {
+     return EFI_INVALID_PARAMETER;
+   }
+ 
+diff --git a/BaseTools/Source/C/TianoCompress/TianoCompress.c b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+index 046fb36..d07fd9e 100644
+--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c
++++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+@@ -1753,6 +1753,7 @@ Returns:
+   SCRATCH_DATA      *Scratch;
+   UINT8      *Src;
+   UINT32     OrigSize;
++  UINT32     CompSize;
+ 
+   SetUtilityName(UTILITY_NAME);
+   
+@@ -1761,6 +1762,7 @@ Returns:
+   OutBuffer = NULL;
+   Scratch   = NULL;
+   OrigSize = 0;
++  CompSize = 0;
+   InputLength = 0;
+   InputFileName = NULL;
+   OutputFileName = NULL;
+@@ -1979,15 +1981,24 @@ Returns:
+   if (DebugMode) {
+     DebugMsg(UTILITY_NAME, 0, DebugLevel, "Decoding\n", NULL);
+   }
++  if (InputLength < 8){
++    Error (NULL, 0, 3000, "Invalid", "The input file %s is too small.", InputFileName);
++    goto ERROR;
++  }
+   //
+   // Get Compressed file original size
+   // 
+   Src     = (UINT8 *)FileBuffer;                     
+   OrigSize  = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);  
++  CompSize  = Src[0] + (Src[1] << 8) + (Src[2] <<16) + (Src[3] <<24);
+   
+   //
+   // Allocate OutputBuffer
+   //
++  if (InputLength < CompSize + 8 || (CompSize + 8) < 8) {
++    Error (NULL, 0, 3000, "Invalid", "The input file %s data is invalid.", InputFileName);
++    goto ERROR;
++  }
+   OutBuffer = (UINT8 *)malloc(OrigSize);
+   if (OutBuffer == NULL) {
+     Error (NULL, 0, 4001, "Resource:", "Memory cannot be allocated!");
+@@ -2171,12 +2182,16 @@ Returns:
+   UINT16  Mask;
+   UINT16  WordOfStart;
+   UINT16  WordOfCount;
++  UINT16  MaxTableLength;
+ 
+   for (Index = 0; Index <= 16; Index++) {
+     Count[Index] = 0;
+   }
+ 
+   for (Index = 0; Index < NumOfChar; Index++) {
++    if (BitLen[Index] > 16) {
++      return (UINT16) BAD_TABLE;
++    }
+     Count[BitLen[Index]]++;
+   }
+ 
+@@ -2220,6 +2235,7 @@ Returns:
+ 
+   Avail = NumOfChar;
+   Mask  = (UINT16) (1U << (15 - TableBits));
++  MaxTableLength = (UINT16) (1U << TableBits);
+ 
+   for (Char = 0; Char < NumOfChar; Char++) {
+ 
+@@ -2233,6 +2249,9 @@ Returns:
+     if (Len <= TableBits) {
+ 
+       for (Index = Start[Len]; Index < NextCode; Index++) {
++        if (Index >= MaxTableLength) {
++          return (UINT16) BAD_TABLE;
++        }
+         Table[Index] = Char;
+       }
+ 
+@@ -2617,11 +2636,16 @@ Returns: (VOID)
+       DataIdx     = Sd->mOutBuf - DecodeP (Sd) - 1;
+ 
+       BytesRemain--;
++
+       while ((INT16) (BytesRemain) >= 0) {
+-        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+         if (Sd->mOutBuf >= Sd->mOrigSize) {
+           goto Done ;
+         }
++        if (DataIdx >= Sd->mOrigSize) {
++          Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++          goto Done ;
++        }
++        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ 
+         BytesRemain--;
+       }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch b/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
new file mode 100644
index 0000000..470e911
--- /dev/null
+++ b/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
@@ -0,0 +1,94 @@
+From 461390a9ced1986f752b2e64f36f3deee982eb6d Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:48 +0100
+Subject: [PATCH 05/13] BaseTools: Fix UEFI and Tiano Decompression logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190213085050.20766-6-philmd@redhat.com>
+Patchwork-id: 84484
+O-Subject:  [RHEL-7.7 ovmf PATCH v3 5/7] BaseTools: Fix UEFI and Tiano
+	Decompression logic issue
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL7 note start --v--
+
+While reviewing the RHEL8 original of this backport, Laszlo had to look
+at the "BaseTools/Source/C/TianoCompress/TianoCompress.c" hunk for a
+while longer, due to commit 472eb3b89682 missing down-stream, which he
+remembered from downstream commit 29c394f110b1.
+
+However, this hunk affects the Decode() function, which is not affected
+by the upstream-only "UefiCompress method", and also not affected by the
+related upstream-only Decompress()->TDecompress() rename. Decode() --
+i.e. the function being patched -- is called from Decompress() /
+TDecompress().
+
+Therefore, the "git backport-diff" report in the blurb which marks this
+backport patch "identical", is credible.
+
+--^-- RHEL7 note end --^--
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 041d89bc0f0119df37a5fce1d0f16495ff905089.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit 5e45a1fdcfbf9b2b389122eb97475148594625f8)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit 115cf260ac54a6793a184227d6ae6bfe3da74a56)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ BaseTools/Source/C/Common/Decompress.c           | 6 ++++++
+ BaseTools/Source/C/TianoCompress/TianoCompress.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c
+index bdc10f5..af76f67 100644
+--- a/BaseTools/Source/C/Common/Decompress.c
++++ b/BaseTools/Source/C/Common/Decompress.c
+@@ -662,6 +662,12 @@ Returns: (VOID)
+ 
+         BytesRemain--;
+       }
++      //
++      // Once mOutBuf is fully filled, directly return
++      //
++      if (Sd->mOutBuf >= Sd->mOrigSize) {
++        return ;
++      }
+     }
+   }
+ 
+diff --git a/BaseTools/Source/C/TianoCompress/TianoCompress.c b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+index d07fd9e..369f7b3 100644
+--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c
++++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+@@ -2649,6 +2649,12 @@ Returns: (VOID)
+ 
+         BytesRemain--;
+       }
++      //
++      // Once mOutBuf is fully filled, directly return
++      //
++      if (Sd->mOutBuf >= Sd->mOrigSize) {
++        goto Done ;
++      }
+     }
+   }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch b/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
new file mode 100644
index 0000000..4e37d43
--- /dev/null
+++ b/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
@@ -0,0 +1,128 @@
+From c48d7ac53b4b387fc70a3803e38d30b50513f90b Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:46 +0100
+Subject: [PATCH 03/13] IntelFrameworkModulePkg: Add more checker in
+ UefiTianoDecompressLib (CVE FIX)
+
+Message-id: <20190213085050.20766-4-philmd@redhat.com>
+Patchwork-id: 84483
+O-Subject:  [RHEL-7.7 ovmf PATCH v3 3/7] IntelFrameworkModulePkg: Add more
+	checker in UefiTianoDecompressLib (CVE FIX)
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL7 note start --v--
+
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5731 or CVE-2017-5732 (contrarily to the upstream commit
+message). The best I could achieve up-stream was to get the "CVE FIX"
+expression into the subject, and a whole-sale dump of the CVEs into the
+body. I had not been invited to the original (off-list, embargoed)
+analysis and review.
+
+The trivial context difference (whitespace) is due to RHEL8 lacking
+upstream commit 0a6f48249a60 ("IntelFrameworkModulePkg: Clean up source
+files", 2018-06-28). I've considered backporting that (since it only
+cleans up whitespace). However, the diffstat on that commit convinced me
+otherwise: "246 files changed, 4067 insertions(+), 4067 deletions(-)".
+I've decided not to do a partial backport of that (i.e. just for
+"BaseUefiTianoCustomDecompressLib.c").
+
+--^-- RHEL7 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+To make sure the valid buffer be accessed only.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 684db6da64bc7b5faee4e1174e801c245f563b5c)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 8358e53013fc62c9556598ad842d233906de00ef)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ .../BaseUefiTianoCustomDecompressLib.c                   | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+index cb009e7..9b00166 100644
+--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
++++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+@@ -143,6 +143,7 @@ MakeTable (
+   UINT16  Mask;
+   UINT16  WordOfStart;
+   UINT16  WordOfCount;
++  UINT16  MaxTableLength;
+ 
+   //
+   // The maximum mapping table width supported by this internal
+@@ -155,6 +156,9 @@ MakeTable (
+   }
+ 
+   for (Index = 0; Index < NumOfChar; Index++) {
++    if (BitLen[Index] > 16) {
++      return (UINT16) BAD_TABLE;
++    }
+     Count[BitLen[Index]]++;
+   }
+   
+@@ -196,6 +200,7 @@ MakeTable (
+ 
+   Avail = NumOfChar;
+   Mask  = (UINT16) (1U << (15 - TableBits));
++  MaxTableLength = (UINT16) (1U << TableBits);
+ 
+   for (Char = 0; Char < NumOfChar; Char++) {
+ 
+@@ -209,6 +214,9 @@ MakeTable (
+     if (Len <= TableBits) {
+ 
+       for (Index = Start[Len]; Index < NextCode; Index++) {
++        if (Index >= MaxTableLength) {
++          return (UINT16) BAD_TABLE;
++        }
+         Table[Index] = Char;
+       }
+ 
+@@ -615,10 +623,14 @@ Decode (
+       //
+       BytesRemain--;
+       while ((INT16) (BytesRemain) >= 0) {
+-        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+         if (Sd->mOutBuf >= Sd->mOrigSize) {
+           goto Done ;
+         }
++        if (DataIdx >= Sd->mOrigSize) {
++          Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++          goto Done ;
++        }
++        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ 
+         BytesRemain--;
+       }
+@@ -688,7 +700,7 @@ UefiDecompressGetInfo (
+   }
+ 
+   CompressedSize   = ReadUnaligned32 ((UINT32 *)Source);
+-  if (SourceSize < (CompressedSize + 8)) {
++  if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
+     return RETURN_INVALID_PARAMETER;
+   }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch b/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
new file mode 100644
index 0000000..34e3254
--- /dev/null
+++ b/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
@@ -0,0 +1,58 @@
+From e63a98333b858e287b0e88ff0e06bef5d46c635f Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:50 +0100
+Subject: [PATCH 07/13] IntelFrameworkModulePkg: Fix UEFI and Tiano
+ Decompression logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190213085050.20766-8-philmd@redhat.com>
+Patchwork-id: 84482
+O-Subject:  [RHEL-7.7 ovmf PATCH v3 7/7] IntelFrameworkModulePkg: Fix UEFI and
+	Tiano Decompression logic issue
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 684db6da64bc7b5faee4e1174e801c245f563b5c.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit ade71c52a49d659b20c0b433fb11ddb4f4f543c4)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit 601458a0a87bf4169d1f0c81c0bb454d22abe8f0)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ .../BaseUefiTianoCustomDecompressLib.c                              | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+index 9b00166..e34bf4b 100644
+--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
++++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+@@ -634,6 +634,12 @@ Decode (
+ 
+         BytesRemain--;
+       }
++      //
++      // Once mOutBuf is fully filled, directly return
++      //
++      if (Sd->mOutBuf >= Sd->mOrigSize) {
++        goto Done ;
++      }
+     }
+   }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch b/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
new file mode 100644
index 0000000..2b48653
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
@@ -0,0 +1,278 @@
+From 9e68568e34bef0037bb16b3cbe361e559b8da369 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 17:39:35 +0100
+Subject: [PATCH 1/8] MdeModulePkg/HiiDatabase: Fix potential integer overflow
+ (CVE-2018-12181)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322163936.10835-2-lersek@redhat.com>
+Patchwork-id: 85124
+O-Subject:  [RHEL-7.7 ovmf PATCH 1/2] MdeModulePkg/HiiDatabase: Fix potential
+	integer overflow (CVE-2018-12181)
+Bugzilla: 1691479
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Ray Ni <ray.ni@intel.com>
+
+--v-- RHEL7 note --v--
+
+A contextual conflict had to be resolved manually because we don't have
+upstream commit 979b7d802c31 ("MdeModulePkg/HiiDB: Make sure database
+update behaviors are atomic", 2018-10-26), which was written for upstream
+BZ <https://bugzilla.tianocore.org/show_bug.cgi?id=1235>. More
+specifically, the context to which upstream ffe5f7a6b4e9 (i.e. the patch
+being backported) applies includes EfiAcquireLock() added in 979b7d802c31,
+and our downstream context lacks that.
+
+While reviewing this, I noticed that some of the new error paths
+introduced by the more rigorous checking in upstream ffe5f7a6b4e9 fail to
+release the lock. For upstream I reported a new BZ about this
+<https://bugzilla.tianocore.org/show_bug.cgi?id=1652>, but down-stream, we
+don't have the EfiAcquireLock() in the first place, so there is no leak.
+
+--^-- RHEL7 note --^--
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni <ray.ni@intel.com>
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Hao A Wu <hao.a.wu@intel.com>
+Reviewed-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+(cherry picked from commit ffe5f7a6b4e978dffbe1df228963adc914451106)
+---
+ MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 126 +++++++++++++++++++++-----
+ 1 file changed, 103 insertions(+), 23 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index 431a5b8..dc9566b 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -16,6 +16,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+ 
+ #include "HiiDatabase.h"
+ 
++#define MAX_UINT24    0xFFFFFF
+ 
+ /**
+   Get the imageid of last image block: EFI_HII_IIBT_END_BLOCK when input
+@@ -649,8 +650,16 @@ HiiNewImage (
+     return EFI_NOT_FOUND;
+   }
+ 
+-  NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) +
+-                 BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++  //
++  // Calcuate the size of new image.
++  // Make sure the size doesn't overflow UINT32.
++  // Note: 24Bit BMP occpuies 3 bytes per pixel.
++  //
++  NewBlockSize = (UINT32)Image->Width * Image->Height;
++  if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++  NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL));
+ 
+   //
+   // Get the image package in the package list,
+@@ -669,6 +678,18 @@ HiiNewImage (
+     //
+     // Update the package's image block by appending the new block to the end.
+     //
++
++    //
++    // Make sure the final package length doesn't overflow.
++    // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
++    //
++    if (NewBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) {
++      return EFI_OUT_OF_RESOURCES;
++    }
++    //
++    // Because ImagePackage->ImageBlockSize < ImagePackage->ImagePkgHdr.Header.Length,
++    // So (ImagePackage->ImageBlockSize + NewBlockSize) <= MAX_UINT24
++    //
+     ImageBlocks = AllocatePool (ImagePackage->ImageBlockSize + NewBlockSize);
+     if (ImageBlocks == NULL) {
+       return EFI_OUT_OF_RESOURCES;
+@@ -699,6 +720,13 @@ HiiNewImage (
+ 
+   } else {
+     //
++    // Make sure the final package length doesn't overflow.
++    // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
++    //
++    if (NewBlockSize > MAX_UINT24 - (sizeof (EFI_HII_IMAGE_PACKAGE_HDR) + sizeof (EFI_HII_IIBT_END_BLOCK))) {
++      return EFI_OUT_OF_RESOURCES;
++    }
++    //
+     // The specified package list does not contain image package.
+     // Create one to add this image block.
+     //
+@@ -895,8 +923,11 @@ IGetImage (
+     // Use the common block code since the definition of these structures is the same.
+     //
+     CopyMem (&Iibt1bit, CurrentImageBlock, sizeof (EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
+-    ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
+-                  ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
++    ImageLength = (UINTN) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height;
++    if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++      return EFI_OUT_OF_RESOURCES;
++    }
++    ImageLength  *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+     Image->Bitmap = AllocateZeroPool (ImageLength);
+     if (Image->Bitmap == NULL) {
+       return EFI_OUT_OF_RESOURCES;
+@@ -945,9 +976,13 @@ IGetImage (
+     // fall through
+     //
+   case EFI_HII_IIBT_IMAGE_24BIT:
+-    Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width);
++    Width  = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width);
+     Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height);
+-    ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Width * Height);
++    ImageLength = (UINTN)Width * Height;
++    if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++      return EFI_OUT_OF_RESOURCES;
++    }
++    ImageLength  *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+     Image->Bitmap = AllocateZeroPool (ImageLength);
+     if (Image->Bitmap == NULL) {
+       return EFI_OUT_OF_RESOURCES;
+@@ -1114,8 +1149,23 @@ HiiSetImage (
+   //
+   // Create the new image block according to input image.
+   //
+-  NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) +
+-                 BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++
++  //
++  // Make sure the final package length doesn't overflow.
++  // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
++  // 24Bit BMP occpuies 3 bytes per pixel.
++  //
++  NewBlockSize = (UINT32)Image->Width * Image->Height;
++  if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++  NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL));
++  if ((NewBlockSize > OldBlockSize) &&
++      (NewBlockSize - OldBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length)
++      ) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++
+   //
+   // Adjust the image package to remove the original block firstly then add the new block.
+   //
+@@ -1207,8 +1257,8 @@ HiiDrawImage (
+   EFI_IMAGE_OUTPUT                    *ImageOut;
+   EFI_GRAPHICS_OUTPUT_BLT_PIXEL       *BltBuffer;
+   UINTN                               BufferLen;
+-  UINTN                               Width;
+-  UINTN                               Height;
++  UINT16                              Width;
++  UINT16                              Height;
+   UINTN                               Xpos;
+   UINTN                               Ypos;
+   UINTN                               OffsetY1;
+@@ -1269,21 +1319,36 @@ HiiDrawImage (
+   //
+   if (*Blt != NULL) {
+     //
++    // Make sure the BltX and BltY is inside the Blt area.
++    //
++    if ((BltX >= (*Blt)->Width) || (BltY >= (*Blt)->Height)) {
++      return EFI_INVALID_PARAMETER;
++    }
++
++    //
+     // Clip the image by (Width, Height)
+     //
+ 
+     Width  = Image->Width;
+     Height = Image->Height;
+ 
+-    if (Width > (*Blt)->Width - BltX) {
+-      Width = (*Blt)->Width - BltX;
++    if (Width > (*Blt)->Width - (UINT16)BltX) {
++      Width = (*Blt)->Width - (UINT16)BltX;
+     }
+-    if (Height > (*Blt)->Height - BltY) {
+-      Height = (*Blt)->Height - BltY;
++    if (Height > (*Blt)->Height - (UINT16)BltY) {
++      Height = (*Blt)->Height - (UINT16)BltY;
+     }
+ 
+-    BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+-    BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool (BufferLen);
++    //
++    // Prepare the buffer for the temporary image.
++    // Make sure the buffer size doesn't overflow UINTN.
++    //
++    BufferLen = Width * Height;
++    if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++      return EFI_OUT_OF_RESOURCES;
++    }
++    BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
++    BltBuffer  = AllocateZeroPool (BufferLen);
+     if (BltBuffer == NULL) {
+       return EFI_OUT_OF_RESOURCES;
+     }
+@@ -1346,11 +1411,26 @@ HiiDrawImage (
+     //
+     // Allocate a new bitmap to hold the incoming image.
+     //
+-    Width  = Image->Width  + BltX;
+-    Height = Image->Height + BltY;
+ 
+-    BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+-    BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool (BufferLen);
++    //
++    // Make sure the final width and height doesn't overflow UINT16.
++    //
++    if ((BltX > (UINTN)MAX_UINT16 - Image->Width) || (BltY > (UINTN)MAX_UINT16 - Image->Height)) {
++      return EFI_INVALID_PARAMETER;
++    }
++
++    Width  = Image->Width  + (UINT16)BltX;
++    Height = Image->Height + (UINT16)BltY;
++
++    //
++    // Make sure the output image size doesn't overflow UINTN.
++    //
++    BufferLen = Width * Height;
++    if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++      return EFI_OUT_OF_RESOURCES;
++    }
++    BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
++    BltBuffer  = AllocateZeroPool (BufferLen);
+     if (BltBuffer == NULL) {
+       return EFI_OUT_OF_RESOURCES;
+     }
+@@ -1360,8 +1440,8 @@ HiiDrawImage (
+       FreePool (BltBuffer);
+       return EFI_OUT_OF_RESOURCES;
+     }
+-    ImageOut->Width        = (UINT16) Width;
+-    ImageOut->Height       = (UINT16) Height;
++    ImageOut->Width        = Width;
++    ImageOut->Height       = Height;
+     ImageOut->Image.Bitmap = BltBuffer;
+ 
+     //
+@@ -1375,7 +1455,7 @@ HiiDrawImage (
+       return Status;
+     }
+     ASSERT (FontInfo != NULL);
+-    for (Index = 0; Index < Width * Height; Index++) {
++    for (Index = 0; Index < (UINTN)Width * Height; Index++) {
+       BltBuffer[Index] = FontInfo->BackgroundColor;
+     }
+     FreePool (FontInfo);
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch b/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
new file mode 100644
index 0000000..aff5831
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
@@ -0,0 +1,66 @@
+From 44941e738b975e52a6494cfd9f71db5ad3f411b8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 17:39:36 +0100
+Subject: [PATCH 2/8] MdeModulePkg/HiiImage: Fix stack overflow when corrupted
+ BMP is parsed (CVE-2018-12181)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322163936.10835-3-lersek@redhat.com>
+Patchwork-id: 85123
+O-Subject:  [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/HiiImage: Fix stack overflow
+	when corrupted BMP is parsed (CVE-2018-12181)
+Bugzilla: 1691479
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Ray Ni <ray.ni@intel.com>
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+For 4bit BMP, there are only 2^4 = 16 colors in the palette.
+But when a corrupted BMP contains more than 16 colors in the palette,
+today's implementation wrongly copies all colors to the local
+PaletteValue[16] array which causes stack overflow.
+
+The similar issue also exists in the logic to handle 8bit BMP.
+
+The patch fixes the issue by only copies the first 16 or 256 colors
+in the palette depending on the BMP type.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni <ray.ni@intel.com>
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+(cherry picked from commit 89910a39dcfd788057caa5d88b7e76e112d187b5)
+---
+ MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index dc9566b..9829bdd 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -370,7 +370,7 @@ Output4bitPixel (
+   PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
+ 
+   ZeroMem (PaletteValue, sizeof (PaletteValue));
+-  CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
++  CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue)));
+   FreePool (Palette);
+ 
+   //
+@@ -447,7 +447,7 @@ Output8bitPixel (
+   CopyMem (Palette, PaletteInfo, PaletteSize);
+   PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
+   ZeroMem (PaletteValue, sizeof (PaletteValue));
+-  CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
++  CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue)));
+   FreePool (Palette);
+ 
+   //
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch
new file mode 100644
index 0000000..3aeb39d
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch
@@ -0,0 +1,97 @@
+From 5c43edaf8f41ad18bc66c29fea9b039488d858c8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:19 +0100
+Subject: [PATCH 3/8] MdeModulePkg/PartitionDxe: Add check for underlying
+ device block size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-2-lersek@redhat.com>
+Patchwork-id: 85131
+O-Subject:  [RHEL-7.7 ovmf PATCH 1/5] MdeModulePkg/PartitionDxe: Add check for
+	underlying device block size
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+Within FindAnchorVolumeDescriptorPointer():
+
+Add a check for the underlying device block size to ensure it is greater
+than the size of an Anchor Volume Descriptor Pointer.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit 4df8f5bfa28b8b881e506437e8f08d92c1a00370)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c | 29 ++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c
+index 83bd174..49c56f6 100644
+--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c
++++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c
+@@ -1,8 +1,17 @@
+ /** @file
+   Scan for an UDF file system on a formatted media.
+ 
++  Caution: This file requires additional review when modified.
++  This driver will have external input - CD/DVD media.
++  This external input must be validated carefully to avoid security issue like
++  buffer overflow, integer overflow.
++
++  FindUdfFileSystem() routine will consume the media properties and do basic
++  validation.
++
+   Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
+   Copyright (C) 2014-2017 Paulo Alcantara <pcacjr@zytor.com>
++  Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+ 
+   This program and the accompanying materials are licensed and made available
+   under the terms and conditions of the BSD License which accompanies this
+@@ -102,6 +111,20 @@ FindAnchorVolumeDescriptorPointer (
+   AvdpsCount = 0;
+ 
+   //
++  // Check if the block size of the underlying media can hold the data of an
++  // Anchor Volume Descriptor Pointer
++  //
++  if (BlockSize < sizeof (UDF_ANCHOR_VOLUME_DESCRIPTOR_POINTER)) {
++    DEBUG ((
++      DEBUG_ERROR,
++      "%a: Media block size 0x%x unable to hold an AVDP.\n",
++      __FUNCTION__,
++      BlockSize
++      ));
++    return EFI_UNSUPPORTED;
++  }
++
++  //
+   // Find AVDP at block 256
+   //
+   Status = DiskIo->ReadDisk (
+@@ -598,6 +621,12 @@ Out_Free:
+ /**
+   Find a supported UDF file system in block device.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from Partition.
++
++  The CD/DVD media is the external input, so this routine will do basic
++  validation for the media.
++
+   @param[in]  BlockIo             BlockIo interface.
+   @param[in]  DiskIo              DiskIo interface.
+   @param[out] StartingLBA         UDF file system starting LBA.
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
index 9f0dfe7..f925de0 100644
--- a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
+++ b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
@@ -1,26 +1,26 @@
-From 582ce8009e286361be2468d48c0c7763edc62718 Mon Sep 17 00:00:00 2001
+From 29d5545ca1b9cefb7e813b65e36eb9efc192fbc0 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 1 Mar 2019 12:38:19 +0100
-Subject: [PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR
+Date: Fri, 1 Mar 2019 13:16:46 +0100
+Subject: [PATCH 08/13] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR
  (CVE-2018-12180)
 
-Message-id: <20190301113820.13948-3-lersek@redhat.com>
-Patchwork-id: 84753
-O-Subject:  [RHEL-7.6.z ovmf PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure
-	blocksize holds MBR (CVE-2018-12180)
-Bugzilla: 1684006
+Message-id: <20190301121647.16026-2-lersek@redhat.com>
+Patchwork-id: 84756
+O-Subject:  [RHEL-7.7 ovmf PATCH 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize
+	holds MBR (CVE-2018-12180)
+Bugzilla: 1684007
 Acked-by: Thomas Huth <thuth@redhat.com>
 Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
 
 From: Hao Wu <hao.a.wu@intel.com>
 
---v-- RHEL-7.6 note --v--
+--v-- RHEL-7.7 note --v--
 
 Trivial conflicts resolved in "Gpt.c" and "Mbr.c": up-stream, the Intel
 copyright notice got meanwhile extended to 2018, in commit d1102dba7210
 ("MdeModulePkg: Clean up source files", 2018-06-28).
 
---^-- RHEL-7.6 note --^--
+--^-- RHEL-7.7 note --^--
 
 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
 
diff --git a/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch b/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
index d12d1d1..6e3cf06 100644
--- a/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
+++ b/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
@@ -1,14 +1,14 @@
-From 9d78bac116d939d3a833150747e29e861b75eedc Mon Sep 17 00:00:00 2001
+From 8104f654744067eca1cc96d2156742dc1155b5b7 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 1 Mar 2019 12:38:20 +0100
-Subject: [PATCH 3/3] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size
+Date: Fri, 1 Mar 2019 13:16:47 +0100
+Subject: [PATCH 09/13] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size
  (CVE-2018-12180)
 
-Message-id: <20190301113820.13948-4-lersek@redhat.com>
-Patchwork-id: 84754
-O-Subject:  [RHEL-7.6.z ovmf PATCH 3/3] MdeModulePkg/RamDiskDxe: Restrict on RAM
+Message-id: <20190301121647.16026-3-lersek@redhat.com>
+Patchwork-id: 84757
+O-Subject:  [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM
 	disk size (CVE-2018-12180)
-Bugzilla: 1684006
+Bugzilla: 1684007
 Acked-by: Thomas Huth <thuth@redhat.com>
 Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
 
diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch
new file mode 100644
index 0000000..704ef2d
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch
@@ -0,0 +1,57 @@
+From adfd3101494f52d71cbd8d15be9146e7570e6397 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:22 +0100
+Subject: [PATCH 6/8] MdeModulePkg/UdfDxe: Add boundary check for
+ ComponentIdentifier decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-5-lersek@redhat.com>
+Patchwork-id: 85133
+O-Subject:  [RHEL-7.7 ovmf PATCH 4/5] MdeModulePkg/UdfDxe: Add boundary check for
+	ComponentIdentifier decode
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+Within ResolveSymlink():
+
+The boundary check will validate the 'LengthofComponentIdentifier' field
+of a Path Component matches the data within the relating (Extended) File
+Entry.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit 89f75aa04a97293a8ed9db2a90851a5053730cf5)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+index 0012075..1aefed8 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+@@ -2137,6 +2137,10 @@ ResolveSymlink (
+         return EFI_VOLUME_CORRUPTED;
+       }
+ 
++      if ((UINTN)PathComp->ComponentIdentifier + PathCompLength > (UINTN)EndData) {
++        return EFI_VOLUME_CORRUPTED;
++      }
++
+       Char = FileName;
+       for (Index = 1; Index < PathCompLength; Index++) {
+         if (CompressionId == 16) {
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch
new file mode 100644
index 0000000..a7758b6
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch
@@ -0,0 +1,103 @@
+From 288997968e9c6352b09930c23fc05f53e3bc0dad Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:23 +0100
+Subject: [PATCH 7/8] MdeModulePkg/UdfDxe: Add boundary check for getting
+ volume (free) size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-6-lersek@redhat.com>
+Patchwork-id: 85134
+O-Subject:  [RHEL-7.7 ovmf PATCH 5/5] MdeModulePkg/UdfDxe: Add boundary check for
+	getting volume (free) size
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+Within GetVolumeSize():
+
+The boundary check will validate the 'NumberOfPartitions' field of a
+Logical Volume Integrity Descriptor matches the data within the relating
+Logical Volume Descriptor.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit 3b30351b75d70ea65701ac999875fbb81a89a5ca)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ .../Universal/Disk/UdfDxe/FileSystemOperations.c        | 17 ++++++++++++++++-
+ MdeModulePkg/Universal/Disk/UdfDxe/Udf.h                |  7 +++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+index 1aefed8..ae19a42 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+@@ -2451,6 +2451,13 @@ SetFileInfo (
+ /**
+   Get volume and free space size information of an UDF volume.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are
++  external inputs, so this routine will do basic validation for both descriptors
++  and report status.
++
+   @param[in]   BlockIo        BlockIo interface.
+   @param[in]   DiskIo         DiskIo interface.
+   @param[in]   Volume         UDF volume information structure.
+@@ -2489,7 +2496,8 @@ GetVolumeSize (
+ 
+   ExtentAd = &LogicalVolDesc->IntegritySequenceExtent;
+ 
+-  if (ExtentAd->ExtentLength == 0) {
++  if ((ExtentAd->ExtentLength == 0) ||
++      (ExtentAd->ExtentLength < sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {
+     return EFI_VOLUME_CORRUPTED;
+   }
+ 
+@@ -2529,6 +2537,13 @@ GetVolumeSize (
+     goto Out_Free;
+   }
+ 
++  if ((LogicalVolInt->NumberOfPartitions > MAX_UINT32 / sizeof (UINT32) / 2) ||
++      (LogicalVolInt->NumberOfPartitions * sizeof (UINT32) * 2 >
++       ExtentAd->ExtentLength - sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {
++    Status = EFI_VOLUME_CORRUPTED;
++    goto Out_Free;
++  }
++
+   *VolumeSize = 0;
+   *FreeSpaceSize = 0;
+ 
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+index 9b82441..b054c62 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+@@ -903,6 +903,13 @@ SetFileInfo (
+ /**
+   Get volume and free space size information of an UDF volume.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are
++  external inputs, so this routine will do basic validation for both descriptors
++  and report status.
++
+   @param[in]   BlockIo        BlockIo interface.
+   @param[in]   DiskIo         DiskIo interface.
+   @param[in]   Volume         UDF volume information structure.
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch
new file mode 100644
index 0000000..539ce62
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch
@@ -0,0 +1,156 @@
+From 8a7cd4ba31848171f596a1eb1df0bc06633d3276 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:21 +0100
+Subject: [PATCH 5/8] MdeModulePkg/UdfDxe: Add boundary check the read of
+ FE/EFE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-4-lersek@redhat.com>
+Patchwork-id: 85130
+O-Subject:  [RHEL-7.7 ovmf PATCH 3/5] MdeModulePkg/UdfDxe: Add boundary check the
+	read of FE/EFE
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+Within ReadFile():
+
+Add checks to ensure that when getting the raw data or the Allocation
+Descriptors' data from a FE/EFE, it will not consume data beyond the
+size of a FE/EFE.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit 5c0748f43f4e1cc15fdd0be64a764eacd7df92f6)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ .../Universal/Disk/UdfDxe/FileSystemOperations.c   | 54 ++++++++++++++++++++--
+ 1 file changed, 50 insertions(+), 4 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+index 424f41c..0012075 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+@@ -504,15 +504,27 @@ DuplicateFe (
+ 
+   NOTE: The FE/EFE can be thought it was an inode.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The (Extended) File Entry is external input, so this routine will do basic
++  validation for (Extended) File Entry and report status.
++
+   @param[in]  FileEntryData       (Extended) File Entry pointer.
++  @param[in]  FileEntrySize       Size of the (Extended) File Entry specified
++                                  by FileEntryData.
+   @param[out] Data                Buffer contains the raw data of a given
+                                   (Extended) File Entry.
+   @param[out] Length              Length of the data in Buffer.
+ 
++  @retval EFI_SUCCESS             Raw data and size of the FE/EFE was read.
++  @retval EFI_VOLUME_CORRUPTED    The file system structures are corrupted.
++
+ **/
+-VOID
++EFI_STATUS
+ GetFileEntryData (
+   IN   VOID    *FileEntryData,
++  IN   UINTN   FileEntrySize,
+   OUT  VOID    **Data,
+   OUT  UINT64  *Length
+   )
+@@ -536,20 +548,40 @@ GetFileEntryData (
+     *Data    = (VOID *)((UINT8 *)FileEntry->Data +
+                         FileEntry->LengthOfExtendedAttributes);
+   }
++
++  if ((*Length > FileEntrySize) ||
++      ((UINTN)FileEntryData > (UINTN)(*Data)) ||
++      ((UINTN)(*Data) - (UINTN)FileEntryData > FileEntrySize - *Length)) {
++    return EFI_VOLUME_CORRUPTED;
++  }
++  return EFI_SUCCESS;
+ }
+ 
+ /**
+   Get Allocation Descriptors' data information from a given FE/EFE.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The (Extended) File Entry is external input, so this routine will do basic
++  validation for (Extended) File Entry and report status.
++
+   @param[in]  FileEntryData       (Extended) File Entry pointer.
++  @param[in]  FileEntrySize       Size of the (Extended) File Entry specified
++                                  by FileEntryData.
+   @param[out] AdsData             Buffer contains the Allocation Descriptors'
+                                   data from a given FE/EFE.
+   @param[out] Length              Length of the data in AdsData.
+ 
++  @retval EFI_SUCCESS             The data and size of Allocation Descriptors
++                                  were read from the FE/EFE.
++  @retval EFI_VOLUME_CORRUPTED    The file system structures are corrupted.
++
+ **/
+-VOID
++EFI_STATUS
+ GetAdsInformation (
+   IN   VOID    *FileEntryData,
++  IN   UINTN   FileEntrySize,
+   OUT  VOID    **AdsData,
+   OUT  UINT64  *Length
+   )
+@@ -573,6 +605,13 @@ GetAdsInformation (
+     *AdsData = (VOID *)((UINT8 *)FileEntry->Data +
+                         FileEntry->LengthOfExtendedAttributes);
+   }
++
++  if ((*Length > FileEntrySize) ||
++      ((UINTN)FileEntryData > (UINTN)(*AdsData)) ||
++      ((UINTN)(*AdsData) - (UINTN)FileEntryData > FileEntrySize - *Length)) {
++    return EFI_VOLUME_CORRUPTED;
++  }
++  return EFI_SUCCESS;
+ }
+ 
+ /**
+@@ -1066,7 +1105,10 @@ ReadFile (
+     //
+     // There are no extents for this FE/EFE. All data is inline.
+     //
+-    GetFileEntryData (FileEntryData, &Data, &Length);
++    Status = GetFileEntryData (FileEntryData, Volume->FileEntrySize, &Data, &Length);
++    if (EFI_ERROR (Status)) {
++      return Status;
++    }
+ 
+     if (ReadFileInfo->Flags == ReadFileGetFileSize) {
+       ReadFileInfo->ReadLength = Length;
+@@ -1110,7 +1152,11 @@ ReadFile (
+     // This FE/EFE contains a run of Allocation Descriptors. Get data + size
+     // for start reading them out.
+     //
+-    GetAdsInformation (FileEntryData, &Data, &Length);
++    Status = GetAdsInformation (FileEntryData, Volume->FileEntrySize, &Data, &Length);
++    if (EFI_ERROR (Status)) {
++      return Status;
++    }
++
+     AdOffset = 0;
+ 
+     for (;;) {
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch
new file mode 100644
index 0000000..75f4fb9
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch
@@ -0,0 +1,358 @@
+From 070a96e19dc08a87906035a1b0a67e8a3973a900 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:20 +0100
+Subject: [PATCH 4/8] MdeModulePkg/UdfDxe: Refine boundary checks for file/path
+ name string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-3-lersek@redhat.com>
+Patchwork-id: 85132
+O-Subject:  [RHEL-7.7 ovmf PATCH 2/5] MdeModulePkg/UdfDxe: Refine boundary checks
+	for file/path name string
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+The commit refines the boundary checks for file/path name string to
+prevent possible buffer overrun.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit b9ae1705adfdd43668027a25a2b03c2e81960219)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Universal/Disk/UdfDxe/File.c          | 30 ++++++++--
+ .../Universal/Disk/UdfDxe/FileSystemOperations.c   | 65 +++++++++++++++++++---
+ MdeModulePkg/Universal/Disk/UdfDxe/Udf.h           | 30 +++++++++-
+ 3 files changed, 110 insertions(+), 15 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/File.c b/MdeModulePkg/Universal/Disk/UdfDxe/File.c
+index 6f07bf2..bd723d0 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/File.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/File.c
+@@ -2,6 +2,7 @@
+   Handle operations in files and directories from UDF/ECMA-167 file systems.
+ 
+   Copyright (C) 2014-2017 Paulo Alcantara <pcacjr@zytor.com>
++  Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+ 
+   This program and the accompanying materials are licensed and made available
+   under the terms and conditions of the BSD License which accompanies this
+@@ -248,7 +249,7 @@ UdfOpen (
+     FileName = TempFileName + 1;
+   }
+ 
+-  StrCpyS (NewPrivFileData->FileName, UDF_PATH_LENGTH, FileName);
++  StrCpyS (NewPrivFileData->FileName, UDF_FILENAME_LENGTH, FileName);
+ 
+   Status = GetFileSize (
+     PrivFsData->BlockIo,
+@@ -444,7 +445,7 @@ UdfRead (
+       FreePool ((VOID *)NewFileEntryData);
+       NewFileEntryData = FoundFile.FileEntry;
+ 
+-      Status = GetFileNameFromFid (NewFileIdentifierDesc, FileName);
++      Status = GetFileNameFromFid (NewFileIdentifierDesc, ARRAY_SIZE (FileName), FileName);
+       if (EFI_ERROR (Status)) {
+         FreePool ((VOID *)FoundFile.FileIdentifierDesc);
+         goto Error_Get_FileName;
+@@ -456,7 +457,7 @@ UdfRead (
+       FoundFile.FileIdentifierDesc  = NewFileIdentifierDesc;
+       FoundFile.FileEntry           = NewFileEntryData;
+ 
+-      Status = GetFileNameFromFid (FoundFile.FileIdentifierDesc, FileName);
++      Status = GetFileNameFromFid (FoundFile.FileIdentifierDesc, ARRAY_SIZE (FileName), FileName);
+       if (EFI_ERROR (Status)) {
+         goto Error_Get_FileName;
+       }
+@@ -718,6 +719,12 @@ UdfSetPosition (
+ /**
+   Get information about a file.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The File Set Descriptor is external input, so this routine will do basic
++  validation for File Set Descriptor and report status.
++
+   @param  This            Protocol instance pointer.
+   @param  InformationType Type of information to return in Buffer.
+   @param  BufferSize      On input size of buffer, on output amount of data in
+@@ -794,6 +801,10 @@ UdfGetInfo (
+         *String = *(UINT8 *)(OstaCompressed + Index) << 8;
+         Index++;
+       } else {
++        if (Index > ARRAY_SIZE (VolumeLabel)) {
++          return EFI_VOLUME_CORRUPTED;
++        }
++
+         *String = 0;
+       }
+ 
+@@ -813,7 +824,11 @@ UdfGetInfo (
+       String++;
+     }
+ 
+-    *String = L'\0';
++    Index = ((UINTN)String - (UINTN)VolumeLabel) / sizeof (CHAR16);
++    if (Index > ARRAY_SIZE (VolumeLabel) - 1) {
++      Index = ARRAY_SIZE (VolumeLabel) - 1;
++    }
++    VolumeLabel[Index] = L'\0';
+ 
+     FileSystemInfoLength = StrSize (VolumeLabel) +
+                            sizeof (EFI_FILE_SYSTEM_INFO);
+@@ -823,8 +838,11 @@ UdfGetInfo (
+     }
+ 
+     FileSystemInfo = (EFI_FILE_SYSTEM_INFO *)Buffer;
+-    StrCpyS (FileSystemInfo->VolumeLabel, ARRAY_SIZE (VolumeLabel),
+-             VolumeLabel);
++    StrCpyS (
++      FileSystemInfo->VolumeLabel,
++      (*BufferSize - OFFSET_OF (EFI_FILE_SYSTEM_INFO, VolumeLabel)) / sizeof (CHAR16),
++      VolumeLabel
++      );
+     Status = GetVolumeSize (
+       PrivFsData->BlockIo,
+       PrivFsData->DiskIo,
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+index ecc1723..424f41c 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+@@ -2,6 +2,7 @@
+   Handle on-disk format and volume structures in UDF/ECMA-167 file systems.
+ 
+   Copyright (C) 2014-2017 Paulo Alcantara <pcacjr@zytor.com>
++  Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+ 
+   This program and the accompanying materials are licensed and made available
+   under the terms and conditions of the BSD License which accompanies this
+@@ -1412,7 +1413,7 @@ InternalFindFile (
+         break;
+       }
+     } else {
+-      Status = GetFileNameFromFid (FileIdentifierDesc, FoundFileName);
++      Status = GetFileNameFromFid (FileIdentifierDesc, ARRAY_SIZE (FoundFileName), FoundFileName);
+       if (EFI_ERROR (Status)) {
+         break;
+       }
+@@ -1705,6 +1706,11 @@ FindFile (
+   while (*FilePath != L'\0') {
+     FileNamePointer = FileName;
+     while (*FilePath != L'\0' && *FilePath != L'\\') {
++      if ((((UINTN)FileNamePointer - (UINTN)FileName) / sizeof (CHAR16)) >=
++          (ARRAY_SIZE (FileName) - 1)) {
++        return EFI_NOT_FOUND;
++      }
++
+       *FileNamePointer++ = *FilePath++;
+     }
+ 
+@@ -1882,22 +1888,38 @@ ReadDirectoryEntry (
+   Get a filename (encoded in OSTA-compressed format) from a File Identifier
+   Descriptor on an UDF volume.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The File Identifier Descriptor is external input, so this routine will do
++  basic validation for File Identifier Descriptor and report status.
++
+   @param[in]   FileIdentifierDesc  File Identifier Descriptor pointer.
++  @param[in]   CharMax             The maximum number of FileName Unicode char,
++                                   including terminating null char.
+   @param[out]  FileName            Decoded filename.
+ 
+   @retval EFI_SUCCESS           Filename decoded and read.
+   @retval EFI_VOLUME_CORRUPTED  The file system structures are corrupted.
++  @retval EFI_BUFFER_TOO_SMALL  The string buffer FileName cannot hold the
++                                decoded filename.
+ **/
+ EFI_STATUS
+ GetFileNameFromFid (
+   IN   UDF_FILE_IDENTIFIER_DESCRIPTOR  *FileIdentifierDesc,
++  IN   UINTN                           CharMax,
+   OUT  CHAR16                          *FileName
+   )
+ {
+-  UINT8 *OstaCompressed;
+-  UINT8 CompressionId;
+-  UINT8 Length;
+-  UINTN Index;
++  UINT8  *OstaCompressed;
++  UINT8  CompressionId;
++  UINT8  Length;
++  UINTN  Index;
++  CHAR16 *FileNameBak;
++
++  if (CharMax == 0) {
++    return EFI_BUFFER_TOO_SMALL;
++  }
+ 
+   OstaCompressed =
+     (UINT8 *)(
+@@ -1910,10 +1932,22 @@ GetFileNameFromFid (
+     return EFI_VOLUME_CORRUPTED;
+   }
+ 
++  FileNameBak = FileName;
++
+   //
+   // Decode filename.
+   //
+   Length = FileIdentifierDesc->LengthOfFileIdentifier;
++  if (CompressionId == 16) {
++    if (((UINTN)Length >> 1) > CharMax) {
++      return EFI_BUFFER_TOO_SMALL;
++    }
++  } else {
++    if ((Length != 0) && ((UINTN)Length - 1 > CharMax)) {
++      return EFI_BUFFER_TOO_SMALL;
++    }
++  }
++
+   for (Index = 1; Index < Length; Index++) {
+     if (CompressionId == 16) {
+       *FileName = OstaCompressed[Index++] << 8;
+@@ -1928,7 +1962,11 @@ GetFileNameFromFid (
+     FileName++;
+   }
+ 
+-  *FileName = L'\0';
++  Index = ((UINTN)FileName - (UINTN)FileNameBak) / sizeof (CHAR16);
++  if (Index > CharMax - 1) {
++    Index = CharMax - 1;
++  }
++  FileNameBak[Index] = L'\0';
+ 
+   return EFI_SUCCESS;
+ }
+@@ -1936,6 +1974,12 @@ GetFileNameFromFid (
+ /**
+   Resolve a symlink file on an UDF volume.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The Path Component is external input, so this routine will do basic
++  validation for Path Component and report status.
++
+   @param[in]   BlockIo        BlockIo interface.
+   @param[in]   DiskIo         DiskIo interface.
+   @param[in]   Volume         UDF volume information structure.
+@@ -2054,6 +2098,9 @@ ResolveSymlink (
+                           Index) << 8;
+           Index++;
+         } else {
++          if (Index > ARRAY_SIZE (FileName)) {
++            return EFI_UNSUPPORTED;
++          }
+           *Char = 0;
+         }
+ 
+@@ -2064,7 +2111,11 @@ ResolveSymlink (
+         Char++;
+       }
+ 
+-      *Char = L'\0';
++      Index = ((UINTN)Char - (UINTN)FileName) / sizeof (CHAR16);
++      if (Index > ARRAY_SIZE (FileName) - 1) {
++        Index = ARRAY_SIZE (FileName) - 1;
++      }
++      FileName[Index] = L'\0';
+       break;
+     }
+ 
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+index d441539..9b82441 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+@@ -2,6 +2,7 @@
+   UDF/ECMA-167 file system driver.
+ 
+   Copyright (C) 2014-2017 Paulo Alcantara <pcacjr@zytor.com>
++  Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+ 
+   This program and the accompanying materials are licensed and made available
+   under the terms and conditions of the BSD License which accompanies this
+@@ -559,9 +560,16 @@ UdfSetPosition (
+ /**
+   Get information about a file.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The File Set Descriptor is external input, so this routine will do basic
++  validation for File Set Descriptor and report status.
++
+   @param  This            Protocol instance pointer.
+   @param  InformationType Type of information to return in Buffer.
+-  @param  BufferSize      On input size of buffer, on output amount of data in buffer.
++  @param  BufferSize      On input size of buffer, on output amount of data in
++                          buffer.
+   @param  Buffer          The buffer to return data.
+ 
+   @retval EFI_SUCCESS          Data was returned.
+@@ -571,7 +579,8 @@ UdfSetPosition (
+   @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
+   @retval EFI_WRITE_PROTECTED  The device is write protected.
+   @retval EFI_ACCESS_DENIED    The file was open for read only.
+-  @retval EFI_BUFFER_TOO_SMALL Buffer was too small; required size returned in BufferSize.
++  @retval EFI_BUFFER_TOO_SMALL Buffer was too small; required size returned in
++                               BufferSize.
+ 
+ **/
+ EFI_STATUS
+@@ -769,21 +778,38 @@ ReadDirectoryEntry (
+   Get a filename (encoded in OSTA-compressed format) from a File Identifier
+   Descriptor on an UDF volume.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The File Identifier Descriptor is external input, so this routine will do
++  basic validation for File Identifier Descriptor and report status.
++
+   @param[in]   FileIdentifierDesc  File Identifier Descriptor pointer.
++  @param[in]   CharMax             The maximum number of FileName Unicode char,
++                                   including terminating null char.
+   @param[out]  FileName            Decoded filename.
+ 
+   @retval EFI_SUCCESS           Filename decoded and read.
+   @retval EFI_VOLUME_CORRUPTED  The file system structures are corrupted.
++  @retval EFI_BUFFER_TOO_SMALL  The string buffer FileName cannot hold the
++                                decoded filename.
+ **/
+ EFI_STATUS
+ GetFileNameFromFid (
+   IN   UDF_FILE_IDENTIFIER_DESCRIPTOR  *FileIdentifierDesc,
++  IN   UINTN                           CharMax,
+   OUT  CHAR16                          *FileName
+   );
+ 
+ /**
+   Resolve a symlink file on an UDF volume.
+ 
++  @attention This is boundary function that may receive untrusted input.
++  @attention The input is from FileSystem.
++
++  The Path Component is external input, so this routine will do basic
++  validation for Path Component and report status.
++
+   @param[in]   BlockIo        BlockIo interface.
+   @param[in]   DiskIo         DiskIo interface.
+   @param[in]   Volume         UDF volume information structure.
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch b/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch
new file mode 100644
index 0000000..d093043
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch
@@ -0,0 +1,264 @@
+From 665567cda914855b29632120174ab28be8c6df58 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 9 Apr 2019 16:11:36 +0200
+Subject: [PATCH 8/8] MdeModulePkg UsbBusDxe: Fix wrong buffer length used to
+ read hub desc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190409141136.27390-2-lersek@redhat.com>
+Patchwork-id: 85539
+O-Subject:  [RHEL-7.7 ovmf PATCH 1/1] MdeModulePkg UsbBusDxe: Fix wrong buffer
+	length used to read hub desc
+Bugzilla: 1697534
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Star Zeng <star.zeng@intel.com>
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=973
+
+HUB descriptor has variable length.
+But the code uses stack (HubDesc in UsbHubInit) with fixed length
+sizeof(EFI_USB_HUB_DESCRIPTOR) to hold HUB descriptor data.
+It uses hard code length value (32 that is greater than
+sizeof(EFI_USB_HUB_DESCRIPTOR)) for SuperSpeed path, then there will
+be stack overflow when IOMMU is enabled because the Unmap operation
+will copy the data from device buffer to host buffer.
+And it uses HubDesc->Length for none SuperSpeed path, then there will
+be stack overflow when HubDesc->Length is greater than
+sizeof(EFI_USB_HUB_DESCRIPTOR).
+
+The patch updates the code to use a big enough buffer to hold the
+descriptor data.
+The definition EFI_USB_SUPER_SPEED_HUB_DESCRIPTOR is wrong (HubDelay
+field should be UINT16 type) and no code is using it, the patch
+removes it.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Bret Barkelew <bret.barkelew@microsoft.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Star Zeng <star.zeng@intel.com>
+Reviewed-by: Bret Barkelew <bret.barkelew@microsoft.com>
+(cherry picked from commit acebdf14c985c5c9f50b37ece0b15ada87767359)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c | 96 +++++++++++----------------------
+ MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h | 14 +----
+ 2 files changed, 32 insertions(+), 78 deletions(-)
+
+diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c
+index fabb441..a962f76 100644
+--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c
++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c
+@@ -2,7 +2,7 @@
+ 
+     Unified interface for RootHub and Hub.
+ 
+-Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR> 
++Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR> 
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution.  The full text of the license may be found at
+@@ -201,42 +201,7 @@ UsbHubCtrlClearTTBuffer (
+ }
+ 
+ /**
+-  Usb hub control transfer to get the super speed hub descriptor.
+-
+-  @param  HubDev                The hub device.
+-  @param  Buf                   The buffer to hold the descriptor.
+-
+-  @retval EFI_SUCCESS           The hub descriptor is retrieved.
+-  @retval Others                Failed to retrieve the hub descriptor.
+-
+-**/
+-EFI_STATUS
+-UsbHubCtrlGetSuperSpeedHubDesc (
+-  IN  USB_DEVICE          *HubDev,
+-  OUT VOID                *Buf
+-  )
+-{
+-  EFI_STATUS              Status;
+-  
+-  Status = EFI_INVALID_PARAMETER;
+-  
+-  Status = UsbCtrlRequest (
+-             HubDev,
+-             EfiUsbDataIn,
+-             USB_REQ_TYPE_CLASS,
+-             USB_HUB_TARGET_HUB,
+-             USB_HUB_REQ_GET_DESC,
+-             (UINT16) (USB_DESC_TYPE_HUB_SUPER_SPEED << 8),
+-             0,
+-             Buf,
+-             32
+-             );
+-
+-  return Status;
+-}
+-
+-/**
+-  Usb hub control transfer to get the hub descriptor.
++  Usb hub control transfer to get the (super speed) hub descriptor.
+ 
+   @param  HubDev                The hub device.
+   @param  Buf                   The buffer to hold the descriptor.
+@@ -254,6 +219,11 @@ UsbHubCtrlGetHubDesc (
+   )
+ {
+   EFI_STATUS              Status;
++  UINT8                   DescType;
++
++  DescType = (HubDev->Speed == EFI_USB_SPEED_SUPER) ?
++             USB_DESC_TYPE_HUB_SUPER_SPEED :
++             USB_DESC_TYPE_HUB;
+ 
+   Status = UsbCtrlRequest (
+              HubDev,
+@@ -261,7 +231,7 @@ UsbHubCtrlGetHubDesc (
+              USB_REQ_TYPE_CLASS,
+              USB_HUB_TARGET_HUB,
+              USB_HUB_REQ_GET_DESC,
+-             (UINT16) (USB_DESC_TYPE_HUB << 8),
++             (UINT16) (DescType << 8),
+              0,
+              Buf,
+              Len
+@@ -475,29 +445,19 @@ UsbHubReadDesc (
+ {
+   EFI_STATUS              Status;
+ 
+-  if (HubDev->Speed == EFI_USB_SPEED_SUPER) {
+-    //
+-    // Get the super speed hub descriptor
+-    //
+-    Status = UsbHubCtrlGetSuperSpeedHubDesc (HubDev, HubDesc);
+-  } else {
+-
+-    //
+-    // First get the hub descriptor length
+-    //
+-    Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, 2);
+-
+-    if (EFI_ERROR (Status)) {
+-      return Status;
+-    }
++  //
++  // First get the hub descriptor length
++  //
++  Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, 2);
+ 
+-    //
+-    // Get the whole hub descriptor
+-    //
+-    Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, HubDesc->Length);
++  if (EFI_ERROR (Status)) {
++    return Status;
+   }
+ 
+-  return Status;
++  //
++  // Get the whole hub descriptor
++  //
++  return UsbHubCtrlGetHubDesc (HubDev, HubDesc, HubDesc->Length);
+ }
+ 
+ 
+@@ -690,7 +650,8 @@ UsbHubInit (
+   IN USB_INTERFACE        *HubIf
+   )
+ {
+-  EFI_USB_HUB_DESCRIPTOR  HubDesc;
++  UINT8                   HubDescBuffer[256];
++  EFI_USB_HUB_DESCRIPTOR  *HubDesc;
+   USB_ENDPOINT_DESC       *EpDesc;
+   USB_INTERFACE_SETTING   *Setting;
+   EFI_USB_IO_PROTOCOL     *UsbIo;
+@@ -725,14 +686,19 @@ UsbHubInit (
+     return EFI_DEVICE_ERROR;
+   }
+ 
+-  Status = UsbHubReadDesc (HubDev, &HubDesc);
++  //
++  // The length field of descriptor is UINT8 type, so the buffer
++  // with 256 bytes is enough to hold the descriptor data.
++  //
++  HubDesc = (EFI_USB_HUB_DESCRIPTOR *) HubDescBuffer;
++  Status = UsbHubReadDesc (HubDev, HubDesc);
+ 
+   if (EFI_ERROR (Status)) {
+     DEBUG (( EFI_D_ERROR, "UsbHubInit: failed to read HUB descriptor %r\n", Status));
+     return Status;
+   }
+ 
+-  HubIf->NumOfPort = HubDesc.NumPorts;
++  HubIf->NumOfPort = HubDesc->NumPorts;
+ 
+   DEBUG (( EFI_D_INFO, "UsbHubInit: hub %d has %d ports\n", HubDev->Address,HubIf->NumOfPort));
+ 
+@@ -751,7 +717,7 @@ UsbHubInit (
+     DEBUG ((EFI_D_INFO, "UsbHubInit: Set Hub Depth as 0x%x\n", Depth));
+     UsbHubCtrlSetHubDepth (HubIf->Device, Depth);
+     
+-    for (Index = 0; Index < HubDesc.NumPorts; Index++) {
++    for (Index = 0; Index < HubDesc->NumPorts; Index++) {
+       UsbHubCtrlSetPortFeature (HubIf->Device, Index, USB_HUB_PORT_REMOTE_WAKE_MASK);
+     }    
+   } else {
+@@ -759,15 +725,15 @@ UsbHubInit (
+     // Feed power to all the hub ports. It should be ok
+     // for both gang/individual powered hubs.
+     //
+-    for (Index = 0; Index < HubDesc.NumPorts; Index++) {
++    for (Index = 0; Index < HubDesc->NumPorts; Index++) {
+       UsbHubCtrlSetPortFeature (HubIf->Device, Index, (EFI_USB_PORT_FEATURE) USB_HUB_PORT_POWER);
+     }
+ 
+     //
+     // Update for the usb hub has no power on delay requirement
+     //
+-    if (HubDesc.PwrOn2PwrGood > 0) {
+-      gBS->Stall (HubDesc.PwrOn2PwrGood * USB_SET_PORT_POWER_STALL);
++    if (HubDesc->PwrOn2PwrGood > 0) {
++      gBS->Stall (HubDesc->PwrOn2PwrGood * USB_SET_PORT_POWER_STALL);
+     }
+     UsbHubAckHubStatus (HubIf->Device);
+   }
+diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h
+index 4e5fcd8..fe9f1f7 100644
+--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h
++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h
+@@ -2,7 +2,7 @@
+ 
+     The definition for USB hub.
+ 
+-Copyright (c) 2007 - 2010, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution.  The full text of the license may be found at
+@@ -115,18 +115,6 @@ typedef struct {
+   UINT8           Filler[16];
+ } EFI_USB_HUB_DESCRIPTOR;
+ 
+-typedef struct {
+-  UINT8           Length;
+-  UINT8           DescType;
+-  UINT8           NumPorts;
+-  UINT16          HubCharacter;
+-  UINT8           PwrOn2PwrGood;
+-  UINT8           HubContrCurrent;
+-  UINT8           HubHdrDecLat;
+-  UINT8           HubDelay;
+-  UINT8           DeviceRemovable;
+-} EFI_USB_SUPER_SPEED_HUB_DESCRIPTOR;
+-
+ #pragma pack()
+ 
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch b/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
new file mode 100644
index 0000000..e77f913
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
@@ -0,0 +1,80 @@
+From 0afba771bf42a9793e86bc565f23a8ca99d53dbb Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:44 +0100
+Subject: [PATCH 01/13] MdeModulePkg Variable: Fix Timestamp zeroing issue on
+ APPEND_WRITE
+
+Message-id: <20190213085050.20766-2-philmd@redhat.com>
+Patchwork-id: 84478
+O-Subject:  [RHEL-7.7 ovmf PATCH v3 1/7] MdeModulePkg Variable: Fix Timestamp
+	zeroing issue on APPEND_WRITE
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+From: Star Zeng <star.zeng@intel.com>
+
+--v-- RHEL7 note start --v--
+
+This patch fixes CVE-2018-3613. Unfortunately, the upstream subject line
+does not include the CVE number. I've decided to stick with the upstream
+subject verbatim in the backport, so we can more easily drop this patch at
+the next rebase. On the upstream list, I did complain loudly, so there's
+hope the next CVE fix will advertise the CVE number in the subject.
+
+In practice, the vulnerability is difficult to exploit. Please refer to
+the following messages in the upstream discussion:
+
+  https://lists.01.org/pipermail/edk2-devel/2018-October/031103.html
+  https://lists.01.org/pipermail/edk2-devel/2018-October/031140.html
+
+--^-- RHEL7 note end --^--
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415
+
+When SetVariable() to a time based auth variable with APPEND_WRITE
+attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
+the input Data is earlier than current value, it will cause timestamp
+zeroing.
+
+This issue may bring time based auth variable downgrade problem.
+For example:
+A vendor released three certs at 2014, 2015, and 2016, and system
+integrated the 2016 cert. User can SetVariable() with 2015 cert and
+APPEND_WRITE attribute to cause timestamp zeroing first, then
+SetVariable() with 2014 cert to downgrade the cert.
+
+This patch fixes this issue.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Star Zeng <star.zeng@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+(cherry picked from commit b7dc8888f31402f410c53242839271ba3b94b619)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 3b8ff18ad4ac1af740a979ad27fb83dbbdca70ef)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+index 6caf603..60439b5 100644
+--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+@@ -2460,6 +2460,8 @@ UpdateVariable (
+         if (Variable->CurrPtr != NULL) {
+           if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {
+             CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));
++          } else {
++            CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));
+           }
+         }
+       }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch b/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
new file mode 100644
index 0000000..5a90543
--- /dev/null
+++ b/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
@@ -0,0 +1,128 @@
+From 6e3079460fa075f4b44c1031b1e20709979d9424 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:45 +0100
+Subject: [PATCH 02/13] MdePkg: Add more checker in UefiDecompressLib to access
+ the valid buffer only (CVE FIX)
+
+Message-id: <20190213085050.20766-3-philmd@redhat.com>
+Patchwork-id: 84480
+O-Subject:  [RHEL-7.7 ovmf PATCH v3 2/7] MdePkg: Add more checker in
+	UefiDecompressLib to access the valid buffer only (CVE FIX)
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL7 note start --v--
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5732
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5731 (contrarily to the upstream commit message). The
+best I could achieve up-stream was to get the "CVE FIX" expression into
+the subject, and a whole-sale dump of the CVEs into the body. I had not
+been invited to the original (off-list, embargoed) analysis and review.
+
+The trivial context difference (whitespace) is due to RHEL8 lacking
+upstream commit 9095d37b8fe5 ("MdePkg: Clean up source files",
+2018-06-28). I've considered backporting that (since it only cleans up
+whitespace). However, the diffstat on that commit convinced me otherwise:
+"729 files changed, 15667 insertions(+), 15667 deletions(-)". I've decided
+not to do a partial backport of that (i.e. just for
+"BaseUefiDecompressLib.c").
+
+--^-- RHEL7 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 2ec7953d49677142c5f7552e9e3d96fb406ba0c4)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 41129e136b621728eb5cb1c81aafcc5fedc53a12)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ .../BaseUefiDecompressLib/BaseUefiDecompressLib.c       | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+index e818543..0c6b1fe 100644
+--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
++++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+@@ -152,6 +152,7 @@ MakeTable (
+   UINT16  Mask;
+   UINT16  WordOfStart;
+   UINT16  WordOfCount;
++  UINT16  MaxTableLength;
+ 
+   //
+   // The maximum mapping table width supported by this internal
+@@ -164,6 +165,9 @@ MakeTable (
+   }
+ 
+   for (Index = 0; Index < NumOfChar; Index++) {
++    if (BitLen[Index] > 16) {
++      return (UINT16) BAD_TABLE;
++    }
+     Count[BitLen[Index]]++;
+   }
+   
+@@ -205,6 +209,7 @@ MakeTable (
+ 
+   Avail = NumOfChar;
+   Mask  = (UINT16) (1U << (15 - TableBits));
++  MaxTableLength = (UINT16) (1U << TableBits);
+ 
+   for (Char = 0; Char < NumOfChar; Char++) {
+ 
+@@ -218,6 +223,9 @@ MakeTable (
+     if (Len <= TableBits) {
+ 
+       for (Index = Start[Len]; Index < NextCode; Index++) {
++        if (Index >= MaxTableLength) {
++          return (UINT16) BAD_TABLE;
++        }
+         Table[Index] = Char;
+       }
+ 
+@@ -620,11 +628,16 @@ Decode (
+       // Write BytesRemain of bytes into mDstBase
+       //
+       BytesRemain--;
++
+       while ((INT16) (BytesRemain) >= 0) {
+-        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+         if (Sd->mOutBuf >= Sd->mOrigSize) {
+           goto Done;
+         }
++        if (DataIdx >= Sd->mOrigSize) {
++          Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++          goto Done;
++        }
++        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ 
+         BytesRemain--;
+       }
+@@ -694,7 +707,7 @@ UefiDecompressGetInfo (
+   }
+ 
+   CompressedSize   = ReadUnaligned32 ((UINT32 *)Source);
+-  if (SourceSize < (CompressedSize + 8)) {
++  if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
+     return RETURN_INVALID_PARAMETER;
+   }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch b/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
new file mode 100644
index 0000000..13ce299
--- /dev/null
+++ b/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
@@ -0,0 +1,59 @@
+From c3915e0546924db36fd1cd85bf77318302168ee6 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:49 +0100
+Subject: [PATCH 06/13] MdePkg BaseUefiDecompressLib: Fix UEFI Decompression
+ logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190213085050.20766-7-philmd@redhat.com>
+Patchwork-id: 84485
+O-Subject:  [RHEL-7.7 ovmf PATCH v3 6/7] MdePkg BaseUefiDecompressLib: Fix UEFI
+	Decompression logic issue
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 2ec7953d49677142c5f7552e9e3d96fb406ba0c4.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Cc: Michael Kinney <michael.d.kinney@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit 1c4cecc9fd314de0dce8125b0d4b45967637a401)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit c46469847b68f6a1a5b42feaf0de7a83fd0bed85)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+index 0c6b1fe..8c30e97 100644
+--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
++++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+@@ -641,6 +641,12 @@ Decode (
+ 
+         BytesRemain--;
+       }
++      //
++      // Once mOutBuf is fully filled, directly return
++      //
++      if (Sd->mOutBuf >= Sd->mOrigSize) {
++        goto Done;
++      }
+     }
+   }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch b/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch
new file mode 100644
index 0000000..aa47c88
--- /dev/null
+++ b/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch
@@ -0,0 +1,192 @@
+From 05565be8fdd79d641aa22b7b7a686dd68f158ce8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 13 Feb 2019 22:06:28 +0100
+Subject: [PATCH 13/13] Upgrade OpenSSL to 1.1.0j
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+Message-id: <20190213225928.17791-5-lersek@redhat.com>
+Patchwork-id: 84502
+O-Subject: [RHEL-7.7 ovmf PATCH 4/4] Upgrade OpenSSL to 1.1.0j
+Bugzilla: 1650390
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+--v-- RHEL7 note start --v--
+
+(1) NOTE: this is a partial cherry-pick. We're only advancing to 1.1.0i.
+
+    The upstream commit advanced the OpenSSL git submodule from upstream
+    OpenSSL commit d4e4bd2a8163 ("Prepare for 1.1.0h release", 2018-03-27)
+    to upstream OpenSSL commit 74f2d9c1ec5f ("Prepare for 1.1.0j release",
+    2018-11-20). Meaning, upstream edk2 skipped 1.1.0i.
+
+    However, Fedora 28 only offers 1.1.0i at this point (and it will not
+    be rebased again until 1.1.0k is released). Therefore hunks in the
+    upstream CryptoPkg commit that relate specifically to 1.1.0j have to
+    be dropped from the backport.
+
+    The only such hunks are the "crypto/getenv.c" additions to the INF
+    files. The related upstream OpenSSL change was commit 1abdf08284af
+    ("Use secure_getenv(3) when available.", 2018-09-24), part of tag
+    "OpenSSL_1_1_0j".
+
+    The other hunks all relate to OpenSSL commits present in tag
+    "OpenSSL_1_1_0i" -- hence we keep those hunks:
+
+    * 23dec58b9c2e ("Move the loading of the ssl_conf module to
+      libcrypto", 2018-04-05)
+
+      This justifies the addition of "crypto/conf/conf_ssl.c" to the INF
+      files.
+
+    * 6912debb881e ("Add APIs for custom X509_LOOKUP_METHOD creation",
+      2018-05-30)
+
+      This justifies the addition of "crypto/x509/x509_meth.c" to the INF
+      files.
+
+    * dcb8333087d5 ("Avoid __GNUC__ warnings when defining
+      DECLARE_DEPRECATED", 2018-07-11)
+
+      This justifies the ifdeffery update in "opensslconf.h".
+
+(2) After this downstream patch, the affected files almost match their
+    upstream counterparts at commit a18f784cfdbe (i.e., at the commit
+    being cherry-picked). What's missing (beyond the above 1.1.0j-specific
+    hunks) belong to the following upstream commits, which we don't need:
+
+    * 630f67ddfea2 ("CryptoPkg: Clean up source files", 2018-06-28),
+
+    * 94d67262d891 ("CryptoPkg: Removing ipf which is no longer supported
+      from edk2.", 2018-09-25)
+
+      (IPF stands for Itanium.)
+
+--^-- RHEL7 note end --^--
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1393
+
+BZ#1089 (https://bugzilla.tianocore.org/show_bug.cgi?id=1089) requests
+to upgrade the OpenSSL to the latest 1.1.1 release. Since OpenSSL-1.1.1
+has many changes, more porting efforts and feature evaluation are needed.
+This might lead to a situation that it cannot catch the Q1'19 stable tag.
+
+One of the solution is upgrade current version (1.1.0h) to 1.1.0j.
+According to following web page in openssl.org, all security issues
+solved in 1.1.1 have been also back-ported to 1.1.0.j. This can make
+sure that no security vulnerabilities left in edk2 master before 1.1.1.
+
+https://www.openssl.org/news/vulnerabilities-1.1.1.html
+
+Cc: Ting Ye <ting.ye@intel.com>
+Cc: Gang Wei <gang.wei@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Gang Wei <gang.wei@intel.com>
+Reviewed-by: Ting Ye <ting.ye@intel.com>
+(cherry picked from commit a18f784cfdbe17855ec4376e80db927e1a81aaca)
+---
+ CryptoPkg/CryptoPkg.dsc                           |  1 +
+ CryptoPkg/Library/Include/openssl/opensslconf.h   | 20 +++++++++++++-------
+ CryptoPkg/Library/OpensslLib/OpensslLib.inf       |  2 ++
+ CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf |  2 ++
+ CryptoPkg/Library/OpensslLib/process_files.pl     |  0
+ 5 files changed, 18 insertions(+), 7 deletions(-)
+ mode change 100644 => 100755 CryptoPkg/Library/OpensslLib/process_files.pl
+
+diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
+index b49e587..f305f95 100644
+--- a/CryptoPkg/CryptoPkg.dsc
++++ b/CryptoPkg/CryptoPkg.dsc
+@@ -124,6 +124,7 @@
+   CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+   CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+   CryptoPkg/Library/TlsLib/TlsLib.inf
++  CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ 
+   CryptoPkg/CryptRuntimeDxe/CryptRuntimeDxe.inf
+ 
+diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
+index 1917d7a..28dd9ab 100644
+--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
++++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
+@@ -2,7 +2,7 @@
+  * WARNING: do not edit!
+  * Generated from include/openssl/opensslconf.h.in
+  *
+- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -235,12 +235,18 @@ extern "C" {
+  * still won't see them if the library has been built to disable deprecated
+  * functions.
+  */
+-#if defined(OPENSSL_NO_DEPRECATED)
+-# define DECLARE_DEPRECATED(f)
+-#elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
+-# define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
+-#else
+-# define DECLARE_DEPRECATED(f)   f;
++#ifndef DECLARE_DEPRECATED
++# if defined(OPENSSL_NO_DEPRECATED)
++#  define DECLARE_DEPRECATED(f)
++# else
++#  define DECLARE_DEPRECATED(f)   f;
++#  ifdef __GNUC__
++#   if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
++#    undef DECLARE_DEPRECATED
++#    define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
++#   endif
++#  endif
++# endif
+ #endif
+ 
+ #ifndef OPENSSL_FILE
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+index 55a6fa3..b44510d 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+@@ -175,6 +175,7 @@
+   $(OPENSSL_PATH)/crypto/conf/conf_mall.c
+   $(OPENSSL_PATH)/crypto/conf/conf_mod.c
+   $(OPENSSL_PATH)/crypto/conf/conf_sap.c
++  $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
+   $(OPENSSL_PATH)/crypto/cpt_err.c
+   $(OPENSSL_PATH)/crypto/cryptlib.c
+   $(OPENSSL_PATH)/crypto/cversion.c
+@@ -418,6 +419,7 @@
+   $(OPENSSL_PATH)/crypto/x509/x509_err.c
+   $(OPENSSL_PATH)/crypto/x509/x509_ext.c
+   $(OPENSSL_PATH)/crypto/x509/x509_lu.c
++  $(OPENSSL_PATH)/crypto/x509/x509_meth.c
+   $(OPENSSL_PATH)/crypto/x509/x509_obj.c
+   $(OPENSSL_PATH)/crypto/x509/x509_r2x.c
+   $(OPENSSL_PATH)/crypto/x509/x509_req.c
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+index f542998..46217cc 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+@@ -175,6 +175,7 @@
+   $(OPENSSL_PATH)/crypto/conf/conf_mall.c
+   $(OPENSSL_PATH)/crypto/conf/conf_mod.c
+   $(OPENSSL_PATH)/crypto/conf/conf_sap.c
++  $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
+   $(OPENSSL_PATH)/crypto/cpt_err.c
+   $(OPENSSL_PATH)/crypto/cryptlib.c
+   $(OPENSSL_PATH)/crypto/cversion.c
+@@ -418,6 +419,7 @@
+   $(OPENSSL_PATH)/crypto/x509/x509_err.c
+   $(OPENSSL_PATH)/crypto/x509/x509_ext.c
+   $(OPENSSL_PATH)/crypto/x509/x509_lu.c
++  $(OPENSSL_PATH)/crypto/x509/x509_meth.c
+   $(OPENSSL_PATH)/crypto/x509/x509_obj.c
+   $(OPENSSL_PATH)/crypto/x509/x509_r2x.c
+   $(OPENSSL_PATH)/crypto/x509/x509_req.c
+diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
+old mode 100644
+new mode 100755
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-sb.json b/SOURCES/ovmf-sb.json
new file mode 100644
index 0000000..c804ac1
--- /dev/null
+++ b/SOURCES/ovmf-sb.json
@@ -0,0 +1,36 @@
+{
+    "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "executable": {
+            "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/OVMF/OVMF_VARS.secboot.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "amd-sev",
+        "enrolled-keys",
+        "requires-smm",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/SOURCES/ovmf.json b/SOURCES/ovmf.json
new file mode 100644
index 0000000..5e8a94a
--- /dev/null
+++ b/SOURCES/ovmf.json
@@ -0,0 +1,35 @@
+{
+    "description": "OVMF with SB+SMM, empty varstore",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "executable": {
+            "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/OVMF/OVMF_VARS.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "amd-sev",
+        "requires-smm",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/SPECS/ovmf.spec b/SPECS/ovmf.spec
index c77cd87..88f0aa7 100644
--- a/SPECS/ovmf.spec
+++ b/SPECS/ovmf.spec
@@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       ovmf
 Version:    %{GITDATE}
-Release:    3.git%{GITCOMMIT}%{?dist}.1
+Release:    6.git%{GITCOMMIT}%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD and OpenSSL and MIT
@@ -19,10 +19,13 @@ URL:        http://www.tianocore.org
 # | xz -9ev >/tmp/ovmf-$COMMIT.tar.xz
 Source0: http://batcave.lab.eng.brq.redhat.com/www/ovmf-%{GITCOMMIT}.tar.xz
 Source1: ovmf-whitepaper-c770f8c.txt
-Source2: openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
+Source2: openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz
 Source3: ovmf-vars-generator
 Source4: LICENSE.qosb
 
+Source10: ovmf-sb.json
+Source11: ovmf.json
+
 Patch0003: 0003-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
 Patch0004: 0004-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
 Patch0005: 0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
@@ -42,10 +45,42 @@ Patch0019: 0019-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
 Patch20: ovmf-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch
 Patch21: ovmf-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch
 Patch22: ovmf-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch
-# For bz#1684006 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z]
-Patch23: ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
-# For bz#1684006 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z]
-Patch24: ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch23: ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch24: ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch25: ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch26: ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch27: ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch28: ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch29: ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
+# For bz#1684007 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7]
+Patch30: ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
+# For bz#1684007 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7]
+Patch31: ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
+# For bz#1650390 - CVE-2018-5407 OVMF: openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) [rhel-7]
+Patch33: ovmf-Upgrade-OpenSSL-to-1.1.0j.patch
+# For bz#1691479 - CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7]
+Patch34: ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
+# For bz#1691479 - CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7]
+Patch35: ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch36: ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch37: ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch38: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch39: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch40: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch
+# For bz#1697534 - CVE-2019-0161 ovmf: edk2: stack overflow in XHCI causing denial of service [rhel-7]
+Patch41: ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch
 
 
 # python2-devel and libuuid-devel are required for building tools
@@ -81,7 +116,7 @@ Summary:    UEFI firmware for x86_64 virtual machines
 BuildArch:  noarch
 
 # OVMF includes the Secure Boot feature; it has a builtin OpenSSL library.
-Provides:   bundled(openssl) = 1.1.0h
+Provides:   bundled(openssl) = 1.1.0i
 License:    BSD and OpenSSL
 
 # URL taken from the Maintainers.txt file.
@@ -161,6 +196,7 @@ echo "Applied $COUNT patches"
 rm -f $PATCHLIST
 
 cp -a -- %{SOURCE1} %{SOURCE3} .
+cp -a -- %{SOURCE10} %{SOURCE11} .
 tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
 
 # Done by %setup, but we do not use it for the auxiliary tarballs
@@ -278,6 +314,10 @@ install -m 0644 UefiShell.iso                             $RPM_BUILD_ROOT%{_data
 install -m 0644 OvmfPkg/README                            $RPM_BUILD_ROOT%{_docdir}/%{subpkgname}/README
 install -m 0644 ovmf-whitepaper-c770f8c.txt               $RPM_BUILD_ROOT%{_docdir}/%{subpkgname}/ovmf-whitepaper-c770f8c.txt
 
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/qemu/firmware
+install -m 0644 ovmf-sb.json $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-ovmf-sb.json
+install -m 0644 ovmf.json    $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/60-ovmf.json
+
 copy_license CryptoPkg/Library/OpensslLib/openssl/LICENSE OpensslLib
 
 %else
@@ -328,6 +368,11 @@ chmod 0644 -- $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_*.fd
 %{_datadir}/OVMF/OVMF_VARS.secboot.fd
 %{_datadir}/OVMF/UefiShell.iso
 
+%dir %{_datadir}/qemu
+%dir %{_datadir}/qemu/firmware
+%{_datadir}/qemu/firmware/50-ovmf-sb.json
+%{_datadir}/qemu/firmware/60-ovmf.json
+
 %else
 %dir %{_datadir}/AAVMF/
 %{_datadir}/AAVMF/AAVMF_CODE.verbose.fd
@@ -360,11 +405,47 @@ true
 %endif
 
 %changelog
-* Tue Mar 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-3.gitee3198e672e2.el7_6.1
-- ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch [bz#1684006]
-- ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch [bz#1684006]
-- Resolves: bz#1684006
-  (CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z])
+* Mon Apr 15 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-6.gitee3198e672e2.el7
+- ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch [bz#1691479]
+- ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch [bz#1691479]
+- ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch [bz#1691647]
+- ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch [bz#1691647]
+- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch [bz#1691647]
+- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch [bz#1691647]
+- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch [bz#1691647]
+- ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch [bz#1697534]
+- Resolves: bz#1691479
+  (CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7])
+- Resolves: bz#1691647
+  (CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7])
+- Resolves: bz#1697534
+  (CVE-2019-0161 ovmf: edk2: stack overflow in XHCI causing denial of service [rhel-7])
+
+* Thu Mar 07 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-5.gitee3198e672e2.el7
+- ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch [bz#1666586]
+- ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch [bz#1666586]
+- ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch [bz#1666586]
+- ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch [bz#1666586]
+- ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1666586]
+- ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1666586]
+- ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch [bz#1666586]
+- ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch [bz#1684007]
+- ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch [bz#1684007]
+- ovmf-redhat-openssl-update-introduce-MOCK-shorthand-for-m.patch [bz#1650390]
+- ovmf-redhat-openssl-update-enable-the-bootstrap-container.patch [bz#1650390]
+- ovmf-redhat-consume-OpenSSL-1.1.0i-from-Fedora-28.patch [bz#1650390]
+- ovmf-Upgrade-OpenSSL-to-1.1.0j.patch [bz#1650390]
+- Resolves: bz#1650390
+  (CVE-2018-5407 OVMF: openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) [rhel-7])
+- Resolves: bz#1666586
+  (CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7])
+- Resolves: bz#1684007
+  (CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7])
+
+* Thu Nov 29 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-4.gitee3198e672e2.el7
+- ovmf-redhat-provide-firmware-descriptor-meta-files.patch [bz#1608599]
+- Resolves: bz#1608599
+  ([RHEL 7.7] RFE: provide firmware descriptor meta-files for OVMF)
 
 * Fri Jul 27 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-3.gitee3198e672e2.el7
 - ovmf-redhat-provide-virtual-bundled-OpenSSL-in-OVMF.patch [bz#1607792]