MdePkg: UefiFileHandleLib: fix buffer overrun in FileHandleReadLine()

If the size of the supplied buffer in FileHandleReadLine(), module UefiFileHandleLib.c, was not 0, but was not enough to fit in the line, the size is increased, and then the Buffer of the new size is zeroed. This size is always larger than the supplied buffer size, causing supplied buffer overrun. Fix the issue by using the supplied buffer size in ZeroMem(). Signed-off-by: Vladimir Olovyannikov <[email protected]> Cc: Michael D Kinney <[email protected]> Cc: Liming Gao <[email protected]> Cc: Zhiguang Liu <[email protected]> Message-Id: <[email protected]> Reviewed-by: Zhiguang Liu <[email protected]> [[email protected]: remove stray space character from subject line]
shenglei10 · Aug 24, 2020 · 4535fc3 · 4535fc3
1 parent d4e0b96
commit 4535fc3
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
@@ -969,6 +969,7 @@ FileHandleReadLine(
   UINTN       CharSize;
   UINTN       CountSoFar;
   UINTN       CrCount;
+  UINTN       OldSize;
   UINT64      OriginalFilePosition;
 
   if (Handle == NULL
@@ -1039,10 +1040,11 @@ FileHandleReadLine(
   // if we ran out of space tell when...
   //
   if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){
+    OldSize = *Size;
     *Size = (CountSoFar+1-CrCount)*sizeof(CHAR16);
     if (!Truncate) {
-      if (Buffer != NULL && *Size != 0) {
-        ZeroMem(Buffer, *Size);
+      if (Buffer != NULL && OldSize != 0) {
+        ZeroMem(Buffer, OldSize);
       }
       FileHandleSetPosition(Handle, OriginalFilePosition);
       return (EFI_BUFFER_TOO_SMALL);