Dandan:
I have two comments.

1) The API change in AppendToMultiString() is not necessary.

2) MdeModulePkg\Universal\SetupBrowserDxe\Setup.c, line 1708, you update local variable Length = Length + 1, it will cause the follow access wrong. Please double confirm it again.

Thanks
Liming
From: Bi, Dandan
Sent: Friday, June 19, 2015 1:58 PM
To: 'edk2-***@lists.sourceforge.net'; Dong, Eric; Gao, Liming; Qiu, Shumin
Subject: [patch] [MdeModulePkg][HII]Use safe string functions

Replace unsafe String functions with new added safe string functions

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <***@intel.com<mailto:***@intel.com>>
Reviewed-by: Eric Dong <***@intel.com<mailto:***@intel.com>>
---
MdeModulePkg/Library/UefiHiiLib/HiiLib.c | 25 ++++---
.../Universal/DisplayEngineDxe/FormDisplay.c | 32 ++++----
.../Universal/DisplayEngineDxe/InputHandler.c | 20 ++---
.../Universal/DisplayEngineDxe/ProcessOptions.c | 32 ++++----
.../Universal/DriverSampleDxe/DriverSample.c | 10 +--
.../HiiDatabaseDxe/ConfigKeywordHandler.c | 56 +++++++-------
.../Universal/HiiDatabaseDxe/ConfigRouting.c | 85 ++++++++++++----------
MdeModulePkg/Universal/HiiDatabaseDxe/Database.c | 6 +-
MdeModulePkg/Universal/HiiDatabaseDxe/Font.c | 20 +++--
MdeModulePkg/Universal/HiiDatabaseDxe/String.c | 10 +--
.../Universal/SetupBrowserDxe/Expression.c | 8 +-
MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c | 17 +++--
MdeModulePkg/Universal/SetupBrowserDxe/Setup.c | 59 ++++++++-------
13 files changed, 214 insertions(+), 166 deletions(-)

diff --git a/MdeModulePkg/Library/UefiHiiLib/HiiLib.c b/MdeModulePkg/Library/UefiHiiLib/HiiLib.c
index 7ae5c4c..bee5e0d 100644
--- a/MdeModulePkg/Library/UefiHiiLib/HiiLib.c
+++ b/MdeModulePkg/Library/UefiHiiLib/HiiLib.c
@@ -1,9 +1,9 @@
/** @file
HII Library implementation that uses DXE protocols and services.

- Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php

@@ -604,10 +604,11 @@ HiiConstructConfigHdr (
UINTN DevicePathSize;
CHAR16 *String;
CHAR16 *ReturnString;
UINTN Index;
UINT8 *Buffer;
+ UINTN MaxLen;

//
// Compute the length of Name in Unicode characters.
// If Name is NULL, then the length is 0.
//
@@ -634,19 +635,21 @@ HiiConstructConfigHdr (

//
// GUID=<HexCh>32&NAME=<Char>NameLength&PATH=<HexChar>DevicePathSize <Null>
// | 5 | sizeof (EFI_GUID) * 2 | 6 | NameStrLen*4 | 6 | DevicePathSize * 2 | 1 |
//
- String = AllocateZeroPool ((5 + sizeof (EFI_GUID) * 2 + 6 + NameLength * 4 + 6 + DevicePathSize * 2 + 1) * sizeof (CHAR16));
+ MaxLen = 5 + sizeof (EFI_GUID) * 2 + 6 + NameLength * 4 + 6 + DevicePathSize * 2 + 1;
+ String = AllocateZeroPool (MaxLen * sizeof (CHAR16));
if (String == NULL) {
return NULL;
}

//
// Start with L"GUID="
//
- ReturnString = StrCpy (String, L"GUID=");
+ StrCpyS (String, MaxLen, L"GUID=");
+ ReturnString = String;
String += StrLen (String);

if (Guid != NULL) {
//
// Append Guid converted to <HexCh>32
@@ -657,11 +660,11 @@ HiiConstructConfigHdr (
}

//
// Append L"&NAME="
//
- StrCpy (String, L"&NAME=");
+ StrCpyS (String, MaxLen, L"&NAME=");
String += StrLen (String);

if (Name != NULL) {
//
// Append Name converted to <Char>NameLength
@@ -672,11 +675,11 @@ HiiConstructConfigHdr (
}

//
// Append L"&PATH="
//
- StrCpy (String, L"&PATH=");
+ StrCpyS (String, MaxLen, L"&PATH=");
String += StrLen (String);

//
// Append the device path associated with DriverHandle converted to <HexChar>DevicePathSize
//
@@ -784,11 +787,11 @@ InternalHiiGetBufferFromString (
// Convert character one by one
//
StringPtr = (CHAR16 *) DataBuffer;
ZeroMem (TemStr, sizeof (TemStr));
for (Index = 0; Index < Length; Index += 4) {
- StrnCpy (TemStr, ConfigHdr + Index, 4);
+ StrnCpyS (TemStr, sizeof (TemStr) / sizeof (CHAR16), ConfigHdr + Index, 4);
StringPtr[Index/4] = (CHAR16) StrHexToUint64 (TemStr);
}
//
// Add tailing L'\0' character
//
@@ -2009,10 +2012,11 @@ InternalHiiIfrValueAction (
EFI_GUID *VarGuid;
EFI_STRING VarName;

EFI_HII_PACKAGE_LIST_HEADER *HiiPackageList;
UINTN PackageListLength;
+ UINTN MaxLen;
EFI_DEVICE_PATH_PROTOCOL *DevicePath;
EFI_DEVICE_PATH_PROTOCOL *TempDevicePath;

ConfigAltResp = NULL;
ConfigResp = NULL;
@@ -2264,18 +2268,19 @@ NextConfigAltResp:

//
// Construct ConfigAltHdr string "&<ConfigHdr>&ALTCFG=\0"
// | 1 | StrLen (ConfigHdr) | 8 | 1 |
//
- ConfigAltHdr = AllocateZeroPool ((1 + StringPtr - StringHdr + 8 + 1) * sizeof (CHAR16));
+ MaxLen = 1 + StringPtr - StringHdr + 8 + 1;
+ ConfigAltHdr = AllocateZeroPool ( MaxLen * sizeof (CHAR16));
if (ConfigAltHdr == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Done;
}
- StrCpy (ConfigAltHdr, L"&");
- StrnCat (ConfigAltHdr, StringHdr, StringPtr - StringHdr);
- StrCat (ConfigAltHdr, L"&ALTCFG=");
+ StrCpyS (ConfigAltHdr, MaxLen, L"&");
+ StrnCatS (ConfigAltHdr, MaxLen, StringHdr, StringPtr - StringHdr);
+ StrCatS (ConfigAltHdr, MaxLen, L"&ALTCFG=");

//
// Skip all AltResp (AltConfigHdr ConfigBody) for the same ConfigHdr
//
while ((StringHdr = StrStr (StringPtr, ConfigAltHdr)) != NULL) {
diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.c b/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.c
index e198a5e..0e70a9e 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.c
@@ -2147,10 +2147,11 @@ FxConfirmPopup (
CHAR16 *CfmStr;
UINTN CfmStrLen;
UINT32 CheckFlags;
BOOLEAN RetVal;
UINTN CatLen;
+ UINTN MaxLen;

CfmStrLen = 0;
CatLen = StrLen (gConfirmMsgConnect);

//
@@ -2207,54 +2208,55 @@ FxConfirmPopup (

//
// Allocate buffer to save the string.
// String + "?" + "\0"
//
- CfmStr = AllocateZeroPool ((CfmStrLen + 1 + 1) * sizeof (CHAR16));
+ MaxLen = CfmStrLen + 1 + 1;
+ CfmStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (CfmStr != NULL);

if ((Action & BROWSER_ACTION_DISCARD) == BROWSER_ACTION_DISCARD) {
- StrCpy (CfmStr, gConfirmDiscardMsg);
+ StrCpyS (CfmStr, MaxLen, gConfirmDiscardMsg);
}

if ((Action & BROWSER_ACTION_DEFAULT) == BROWSER_ACTION_DEFAULT) {
if (CfmStr[0] != 0) {
- StrCat (CfmStr, gConfirmMsgConnect);
- StrCat (CfmStr, gConfirmDefaultMsg2nd);
+ StrCatS (CfmStr, MaxLen, gConfirmMsgConnect);
+ StrCatS (CfmStr, MaxLen, gConfirmDefaultMsg2nd);
} else {
- StrCpy (CfmStr, gConfirmDefaultMsg);
+ StrCpyS (CfmStr, MaxLen, gConfirmDefaultMsg);
}
}

if ((Action & BROWSER_ACTION_SUBMIT) == BROWSER_ACTION_SUBMIT) {
if (CfmStr[0] != 0) {
- StrCat (CfmStr, gConfirmMsgConnect);
- StrCat (CfmStr, gConfirmSubmitMsg2nd);
+ StrCatS (CfmStr, MaxLen, gConfirmMsgConnect);
+ StrCatS (CfmStr, MaxLen, gConfirmSubmitMsg2nd);
} else {
- StrCpy (CfmStr, gConfirmSubmitMsg);
+ StrCpyS (CfmStr, MaxLen, gConfirmSubmitMsg);
}
}

if ((Action & BROWSER_ACTION_RESET) == BROWSER_ACTION_RESET) {
if (CfmStr[0] != 0) {
- StrCat (CfmStr, gConfirmMsgConnect);
- StrCat (CfmStr, gConfirmResetMsg2nd);
+ StrCatS (CfmStr, MaxLen, gConfirmMsgConnect);
+ StrCatS (CfmStr, MaxLen, gConfirmResetMsg2nd);
} else {
- StrCpy (CfmStr, gConfirmResetMsg);
+ StrCpyS (CfmStr, MaxLen, gConfirmResetMsg);
}
}

if ((Action & BROWSER_ACTION_EXIT) == BROWSER_ACTION_EXIT) {
if (CfmStr[0] != 0) {
- StrCat (CfmStr, gConfirmMsgConnect);
- StrCat (CfmStr, gConfirmExitMsg2nd);
+ StrCatS (CfmStr, MaxLen, gConfirmMsgConnect);
+ StrCatS (CfmStr, MaxLen, gConfirmExitMsg2nd);
} else {
- StrCpy (CfmStr, gConfirmExitMsg);
+ StrCpyS (CfmStr, MaxLen, gConfirmExitMsg);
}
}

- StrCat (CfmStr, gConfirmMsgEnd);
+ StrCatS (CfmStr, MaxLen, gConfirmMsgEnd);

do {
CreateDialog (&Key, gEmptyString, CfmStr, gConfirmOpt, gEmptyString, NULL);
} while (((Key.UnicodeChar | UPPER_LOWER_CASE_OFFSET) != (gConfirmOptYes[0] | UPPER_LOWER_CASE_OFFSET)) &&
((Key.UnicodeChar | UPPER_LOWER_CASE_OFFSET) != (gConfirmOptNo[0] | UPPER_LOWER_CASE_OFFSET)));
diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/InputHandler.c b/MdeModulePkg/Universal/DisplayEngineDxe/InputHandler.c
index a0b87ff..bbbbdaa 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/InputHandler.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/InputHandler.c
@@ -1,9 +1,9 @@
/** @file
Implementation for handling user input from the User Interfaces.

-Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php

@@ -82,10 +82,11 @@ ReadString (
BOOLEAN CursorVisible;
UINTN Minimum;
UINTN Maximum;
FORM_DISPLAY_ENGINE_STATEMENT *Question;
BOOLEAN IsPassword;
+ UINTN MaxLen;

DimensionsWidth = gStatementDimensions.RightColumn - gStatementDimensions.LeftColumn;
DimensionsHeight = gStatementDimensions.BottomRow - gStatementDimensions.TopRow;

NullCharacter = CHAR_NULL;
@@ -100,11 +101,12 @@ ReadString (
IsPassword = TRUE;
} else {
IsPassword = FALSE;
}

- TempString = AllocateZeroPool ((Maximum + 1)* sizeof (CHAR16));
+ MaxLen = Maximum + 1;
+ TempString = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (TempString);

if (ScreenSize < (Maximum + 1)) {
ScreenSize = Maximum + 1;
}
@@ -242,35 +244,35 @@ ReadString (
TempString[Index] = CHAR_NULL;
}
//
// Effectively truncate string by 1 character
//
- StrCpy (StringPtr, TempString);
+ StrCpyS (StringPtr, MaxLen, TempString);
CurrentCursor --;
}

default:
//
// If it is the beginning of the string, don't worry about checking maximum limits
//
if ((StringPtr[0] == CHAR_NULL) && (Key.UnicodeChar != CHAR_BACKSPACE)) {
- StrnCpy (StringPtr, &Key.UnicodeChar, 1);
+ StrnCpyS (StringPtr, MaxLen, &Key.UnicodeChar, 1);
CurrentCursor++;
} else if ((GetStringWidth (StringPtr) < ((Maximum + 1) * sizeof (CHAR16))) && (Key.UnicodeChar != CHAR_BACKSPACE)) {
KeyPad[0] = Key.UnicodeChar;
KeyPad[1] = CHAR_NULL;
Count = GetStringWidth (StringPtr) / 2 - 1;
if (CurrentCursor < Count) {
for (Index = 0; Index < CurrentCursor; Index++) {
TempString[Index] = StringPtr[Index];
}
TempString[Index] = CHAR_NULL;
- StrCat (TempString, KeyPad);
- StrCat (TempString, StringPtr + CurrentCursor);
- StrCpy (StringPtr, TempString);
+ StrCatS (TempString, MaxLen, KeyPad);
+ StrCatS (TempString, MaxLen, StringPtr + CurrentCursor);
+ StrCpyS (StringPtr, MaxLen, TempString);
} else {
- StrCat (StringPtr, KeyPad);
+ StrCatS (StringPtr, MaxLen, KeyPad);
}
CurrentCursor++;
}

//
@@ -1445,11 +1447,11 @@ GetSelectionInputPopUp (
TempStringPtr = AllocateZeroPool (sizeof (CHAR16) * (PopUpWidth - 1));
ASSERT ( TempStringPtr != NULL );
CopyMem (TempStringPtr, StringPtr, (sizeof (CHAR16) * (PopUpWidth - 5)));
FreePool (StringPtr);
StringPtr = TempStringPtr;
- StrCat (StringPtr, L"...");
+ StrCatS (StringPtr, PopUpWidth - 1, L"...");
}

if (Index == HighlightOptionIndex) {
//
// Highlight the selected one
diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
index 84ae03e..926d18b 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
@@ -1,10 +1,10 @@
/** @file
Implementation for handling the User Interface option processing.


-Copyright (c) 2004 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php

@@ -26,10 +26,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.

**/
VOID
NewStrCat (
IN OUT CHAR16 *Destination,
+ IN UINTN DestMax,
IN CHAR16 *Source
)
{
UINTN Length;

@@ -43,11 +44,11 @@ NewStrCat (
// If this assumption changes, we need to make this routine a bit more complex
//
Destination[Length] = NARROW_CHAR;
Length++;

- StrCpy (Destination + Length, Source);
+ StrCpyS (Destination + Length, DestMax - Length, Source);
}

/**
Get UINT64 type value.

@@ -955,10 +956,11 @@ ProcessOptions (
UINTN Index2;
UINT8 *ValueArray;
UINT8 ValueType;
EFI_IFR_ORDERED_LIST *OrderList;
BOOLEAN ValueInvalid;
+ UINTN MaxLen;

Status = EFI_SUCCESS;

StringPtr = NULL;
Character[1] = L'\0';
@@ -997,11 +999,12 @@ ProcessOptions (
} else {
//
// We now know how many strings we will have, so we can allocate the
// space required for the array or strings.
//
- *OptionString = AllocateZeroPool (OrderList->MaxContainers * BufferSize);
+ MaxLen = OrderList->MaxContainers * BufferSize / sizeof (CHAR16);
+ *OptionString = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (*OptionString);

HiiValue.Type = ValueType;
HiiValue.Value.u64 = 0;
for (Index = 0; Index < OrderList->MaxContainers; Index++) {
@@ -1055,18 +1058,18 @@ ProcessOptions (
*OptionString = NULL;
return EFI_NOT_FOUND;
}

Character[0] = LEFT_ONEOF_DELIMITER;
- NewStrCat (OptionString[0], Character);
+ NewStrCat (OptionString[0], MaxLen, Character);
StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);
ASSERT (StringPtr != NULL);
- NewStrCat (OptionString[0], StringPtr);
+ NewStrCat (OptionString[0], MaxLen, StringPtr);
Character[0] = RIGHT_ONEOF_DELIMITER;
- NewStrCat (OptionString[0], Character);
+ NewStrCat (OptionString[0], MaxLen, Character);
Character[0] = CHAR_CARRIAGE_RETURN;
- NewStrCat (OptionString[0], Character);
+ NewStrCat (OptionString[0], MaxLen, Character);
FreePool (StringPtr);
}

//
// If valid option more than the max container, skip these options.
@@ -1090,18 +1093,18 @@ ProcessOptions (
if (SkipErrorValue) {
//
// Not report error, just get the correct option string info.
//
Character[0] = LEFT_ONEOF_DELIMITER;
- NewStrCat (OptionString[0], Character);
+ NewStrCat (OptionString[0], MaxLen, Character);
StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);
ASSERT (StringPtr != NULL);
- NewStrCat (OptionString[0], StringPtr);
+ NewStrCat (OptionString[0], MaxLen, StringPtr);
Character[0] = RIGHT_ONEOF_DELIMITER;
- NewStrCat (OptionString[0], Character);
+ NewStrCat (OptionString[0], MaxLen, Character);
Character[0] = CHAR_CARRIAGE_RETURN;
- NewStrCat (OptionString[0], Character);
+ NewStrCat (OptionString[0], MaxLen, Character);
FreePool (StringPtr);

continue;
}

@@ -1149,10 +1152,11 @@ ProcessOptions (
//
// Go ask for input
//
Status = GetSelectionInputPopUp (MenuOption);
} else {
+ MaxLen = BufferSize / sizeof(CHAR16);
*OptionString = AllocateZeroPool (BufferSize);
ASSERT (*OptionString);

OneOfOption = ValueToOption (Question, QuestionValue);
if (OneOfOption == NULL) {
@@ -1202,16 +1206,16 @@ ProcessOptions (
return EFI_NOT_FOUND;
}
}

Character[0] = LEFT_ONEOF_DELIMITER;
- NewStrCat (OptionString[0], Character);
+ NewStrCat (OptionString[0], MaxLen, Character);
StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);
ASSERT (StringPtr != NULL);
- NewStrCat (OptionString[0], StringPtr);
+ NewStrCat (OptionString[0], MaxLen, StringPtr);
Character[0] = RIGHT_ONEOF_DELIMITER;
- NewStrCat (OptionString[0], Character);
+ NewStrCat (OptionString[0], MaxLen, Character);

FreePool (StringPtr);
}
break;

diff --git a/MdeModulePkg/Universal/DriverSampleDxe/DriverSample.c b/MdeModulePkg/Universal/DriverSampleDxe/DriverSample.c
index 22b6b26..a21f58a 100644
--- a/MdeModulePkg/Universal/DriverSampleDxe/DriverSample.c
+++ b/MdeModulePkg/Universal/DriverSampleDxe/DriverSample.c
@@ -328,11 +328,11 @@ ValidatePassword (
//
// Validate old password
//
EncodedPassword = AllocateZeroPool (PasswordMaxSize);
ASSERT (EncodedPassword != NULL);
- StrnCpy (EncodedPassword, Password, StrLen (Password));
+ StrnCpyS (EncodedPassword, PasswordMaxSize / sizeof (CHAR16), Password, StrLen (Password));
EncodePassword (EncodedPassword, StrLen (EncodedPassword) * sizeof (CHAR16));
if (CompareMem (EncodedPassword, PrivateData->Configuration.WhatIsThePassword2, PasswordMaxSize) != 0) {
//
// Old password mismatch, return EFI_NOT_READY to prompt for error message
//
@@ -398,11 +398,11 @@ SetPassword (
}
if (StrSize (TempPassword) > PasswordSize) {
FreePool (TempPassword);
return EFI_NOT_READY;
}
- StrnCpy (Password, TempPassword, StrLen (TempPassword));
+ StrnCpyS (Password, PasswordSize / sizeof (CHAR16), TempPassword, StrLen (TempPassword));
FreePool (TempPassword);

//
// Retrive uncommitted data from Browser
//
@@ -599,11 +599,11 @@ CreateAltCfgString (
return NULL;
}

TmpStr = StringPtr;
if (Result != NULL) {
- StrCpy (StringPtr, Result);
+ StrCpyS (StringPtr, NewLen / sizeof (CHAR16), Result);
StringPtr += StrLen (Result);
FreePool (Result);
}

UnicodeSPrint (
@@ -906,11 +906,11 @@ ExtractConfig (
1 + sizeof (PrivateData->Configuration.NameValueVar0) * 2 +
1 + sizeof (PrivateData->Configuration.NameValueVar1) * 2 +
1 + sizeof (PrivateData->Configuration.NameValueVar2) * 2 + 1) * sizeof (CHAR16);
*Results = AllocateZeroPool (BufferSize);
ASSERT (*Results != NULL);
- StrCpy (*Results, ConfigRequest);
+ StrCpyS (*Results, BufferSize / sizeof (CHAR16), ConfigRequest);
Value = *Results;

//
// Append value of NameValueVar0, type is UINT8
//
@@ -1182,11 +1182,11 @@ RouteConfig (
// Convert Config String to Unicode String, e.g "0041004200430044" => "ABCD"
//
StrBuffer = (CHAR16 *) PrivateData->Configuration.NameValueVar2;
ZeroMem (TemStr, sizeof (TemStr));
while (Value < StrPtr) {
- StrnCpy (TemStr, Value, 4);
+ StrnCpyS (TemStr, sizeof (TemStr) / sizeof (CHAR16), Value, 4);
*(StrBuffer++) = (CHAR16) StrHexToUint64 (TemStr);
Value += 4;
}
*StrBuffer = L'\0';
}
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c
index 2f04411..529e90f 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c
@@ -1668,10 +1668,11 @@ ConstructConfigHdr (
UINTN Index;
UINT8 *Buffer;
CHAR16 *Name;
CHAR8 *AsciiName;
EFI_GUID *Guid;
+ UINTN MaxLen;

ASSERT (OpCodeData != NULL);

switch (((EFI_IFR_OP_HEADER *)OpCodeData)->OpCode) {
case EFI_IFR_VARSTORE_OP:
@@ -1731,19 +1732,21 @@ ConstructConfigHdr (

//
// GUID=<HexCh>32&NAME=<Char>NameLength&PATH=<HexChar>DevicePathSize <Null>
// | 5 | sizeof (EFI_GUID) * 2 | 6 | NameStrLen*4 | 6 | DevicePathSize * 2 | 1 |
//
- String = AllocateZeroPool ((5 + sizeof (EFI_GUID) * 2 + 6 + NameLength * 4 + 6 + DevicePathSize * 2 + 1) * sizeof (CHAR16));
+ MaxLen = 5 + sizeof (EFI_GUID) * 2 + 6 + NameLength * 4 + 6 + DevicePathSize * 2 + 1;
+ String = AllocateZeroPool (MaxLen * sizeof (CHAR16));
if (String == NULL) {
return NULL;
}

//
// Start with L"GUID="
//
- ReturnString = StrCpy (String, L"GUID=");
+ StrCpyS (String, MaxLen, L"GUID=");
+ ReturnString = String;
String += StrLen (String);

if (Guid != NULL) {
//
// Append Guid converted to <HexCh>32
@@ -1754,11 +1757,11 @@ ConstructConfigHdr (
}

//
// Append L"&NAME="
//
- StrCpy (String, L"&NAME=");
+ StrCpyS (String, MaxLen, L"&NAME=");
String += StrLen (String);

if (Name != NULL) {
//
// Append Name converted to <Char>NameLength
@@ -1769,11 +1772,11 @@ ConstructConfigHdr (
}

//
// Append L"&PATH="
//
- StrCpy (String, L"&PATH=");
+ StrCpyS (String, MaxLen, L"&PATH=");
String += StrLen (String);

//
// Append the device path associated with DriverHandle converted to <HexChar>DevicePathSize
//
@@ -1989,11 +1992,11 @@ ExtractConfigRequest (
CHAR16 *Name;
UINT16 Offset;
UINT16 Width;
CHAR16 *ConfigHdr;
CHAR16 *RequestElement;
- UINTN Length;
+ UINTN MaxLen;
CHAR16 *StringPtr;

ASSERT (DatabaseRecord != NULL && OpCodeData != NULL && ConfigRequest != NULL);

OpCode = NULL;
@@ -2030,26 +2033,26 @@ ExtractConfigRequest (
}
RequestElement = ConstructRequestElement(Name, Offset, Width);
ConfigHdr = ConstructConfigHdr(Storage, DatabaseRecord->DriverHandle);
ASSERT (ConfigHdr != NULL);

- Length = (StrLen (ConfigHdr) + 1 + StrLen(RequestElement) + 1) * sizeof (CHAR16);
- *ConfigRequest = AllocatePool (Length);
+ MaxLen = StrLen (ConfigHdr) + 1 + StrLen(RequestElement) + 1;
+ *ConfigRequest = AllocatePool (MaxLen * sizeof (CHAR16));
if (*ConfigRequest == NULL) {
FreePool (ConfigHdr);
FreePool (RequestElement);
return EFI_OUT_OF_RESOURCES;
}
StringPtr = *ConfigRequest;

- StrCpy (StringPtr, ConfigHdr);
+ StrCpyS (StringPtr, MaxLen, ConfigHdr);
StringPtr += StrLen (StringPtr);

*StringPtr = L'&';
StringPtr++;

- StrCpy (StringPtr, RequestElement);
+ StrCpyS (StringPtr, MaxLen, RequestElement);
StringPtr += StrLen (StringPtr);
*StringPtr = L'\0';

FreePool (ConfigHdr);
FreePool (RequestElement);
@@ -2096,11 +2099,11 @@ ExtractConfigResp (
CHAR16 *Name;
UINT16 Offset;
UINT16 Width;
CHAR16 *ConfigHdr;
CHAR16 *RequestElement;
- UINTN Length;
+ UINTN MaxLen;
CHAR16 *StringPtr;

ASSERT ((DatabaseRecord != NULL) && (OpCodeData != NULL) && (ConfigResp != NULL) && (ValueElement != NULL));

OpCode = NULL;
@@ -2138,35 +2141,35 @@ ExtractConfigResp (
RequestElement = ConstructRequestElement(Name, Offset, Width);

ConfigHdr = ConstructConfigHdr(Storage, DatabaseRecord->DriverHandle);
ASSERT (ConfigHdr != NULL);

- Length = (StrLen (ConfigHdr) + 1 + StrLen(RequestElement) + 1 + StrLen (L"VALUE=") + StrLen(ValueElement) + 1) * sizeof (CHAR16);
- *ConfigResp = AllocatePool (Length);
+ MaxLen = StrLen (ConfigHdr) + 1 + StrLen(RequestElement) + 1 + StrLen (L"VALUE=") + StrLen(ValueElement) + 1;
+ *ConfigResp = AllocatePool (MaxLen * sizeof (CHAR16));
if (*ConfigResp == NULL) {
FreePool (ConfigHdr);
FreePool (RequestElement);
return EFI_OUT_OF_RESOURCES;
}
StringPtr = *ConfigResp;

- StrCpy (StringPtr, ConfigHdr);
+ StrCpyS (StringPtr, MaxLen, ConfigHdr);
StringPtr += StrLen (StringPtr);

*StringPtr = L'&';
StringPtr++;

- StrCpy (StringPtr, RequestElement);
+ StrCpyS (StringPtr, MaxLen, RequestElement);
StringPtr += StrLen (StringPtr);

*StringPtr = L'&';
StringPtr++;

- StrCpy (StringPtr, L"VALUE=");
+ StrCpyS (StringPtr, MaxLen, L"VALUE=");
StringPtr += StrLen (StringPtr);

- StrCpy (StringPtr, ValueElement);
+ StrCpyS (StringPtr, MaxLen, ValueElement);
StringPtr += StrLen (StringPtr);
*StringPtr = L'\0';

FreePool (ConfigHdr);
FreePool (RequestElement);
@@ -2431,13 +2434,14 @@ GenerateKeywordResp (
if (ReadOnly) {
RespStrLen += 9;
}

//
- // 2. Allocate the buffer and create the KeywordResp string.
+ // 2. Allocate the buffer and create the KeywordResp string include '\0'.
//
- *KeywordResp = AllocatePool ((RespStrLen + 1) * sizeof (CHAR16));
+ RespStrLen += 1;
+ *KeywordResp = AllocatePool (RespStrLen * sizeof (CHAR16));
if (*KeywordResp == NULL) {
if (UnicodeNameSpace != NULL) {
FreePool (UnicodeNameSpace);
}

@@ -2446,40 +2450,40 @@ GenerateKeywordResp (
RespStr = *KeywordResp;

//
// 2.1 Copy NameSpaceId section.
//
- StrCpy (RespStr, L"NAMESPACE=");
+ StrCpyS (RespStr, RespStrLen, L"NAMESPACE=");
RespStr += StrLen (RespStr);
- StrCpy (RespStr, UnicodeNameSpace);
+ StrCpyS (RespStr, RespStrLen, UnicodeNameSpace);
RespStr += StrLen (RespStr);

//
// 2.2 Copy PathHdr section.
//
- StrCpy (RespStr, PathHdr);
+ StrCpyS (RespStr, RespStrLen, PathHdr);
RespStr += StrLen (RespStr);

//
// 2.3 Copy Keyword section.
//
- StrCpy (RespStr, L"KEYWORD=");
+ StrCpyS (RespStr, RespStrLen, L"KEYWORD=");
RespStr += StrLen (RespStr);
- StrCpy (RespStr, KeywordData);
+ StrCpyS (RespStr, RespStrLen, KeywordData);
RespStr += StrLen (RespStr);

//
// 2.4 Copy the Value section.
//
- StrCpy (RespStr, ValueStr);
+ StrCpyS (RespStr, RespStrLen, ValueStr);
RespStr += StrLen (RespStr);

//
// 2.5 Copy ReadOnly section if exist.
//
if (ReadOnly) {
- StrCpy (RespStr, L"&READONLY");
+ StrCpyS (RespStr, RespStrLen, L"&READONLY");
RespStr += StrLen (RespStr);
}

//
// 2.6 Add the end.
@@ -2536,11 +2540,11 @@ MergeToMultiKeywordResp (
StringPtr += StrLen (StringPtr);

*StringPtr = L'&';
StringPtr++;

- StrCpy (StringPtr, *KeywordResp);
+ StrCpyS (StringPtr, MultiKeywordRespLen / sizeof (CHAR16), *KeywordResp);

return EFI_SUCCESS;
}

/**
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigRouting.c b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigRouting.c
index 4caf361..14d0998 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigRouting.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigRouting.c
@@ -1,9 +1,9 @@
/** @file
Implementation of interfaces function for EFI_HII_CONFIG_ROUTING_PROTOCOL.

-Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php

@@ -250,12 +250,11 @@ GenerateSubStr (
//
Length = StrLen (String) + BufferLen * 2 + 1 + 1;
Str = AllocateZeroPool (Length * sizeof (CHAR16));
ASSERT (Str != NULL);

- StrCpy (Str, String);
- Length = (BufferLen * 2 + 1) * sizeof (CHAR16);
+ StrCpyS (Str, Length, String);

StringHeader = Str + StrLen (String);
TemString = (CHAR16 *) StringHeader;

switch (Flag) {
@@ -295,11 +294,11 @@ GenerateSubStr (
}

//
// Convert the uppercase to lowercase since <HexAf> is defined in lowercase format.
//
- StrCat (Str, L"&");
+ StrCatS (Str, Length, L"&");
HiiToLower (Str);

*SubStr = Str;
}

@@ -385,39 +384,45 @@ OutputConfigBody (

**/
EFI_STATUS
AppendToMultiString (
IN OUT EFI_STRING *MultiString,
+ IN UINTN MultiStringMaxSize,
IN EFI_STRING AppendString
)
{
UINTN AppendStringSize;
UINTN MultiStringSize;
+ UINTN TotalSize;
+ UINTN MaxLen;

if (MultiString == NULL || *MultiString == NULL || AppendString == NULL) {
return EFI_INVALID_PARAMETER;
}

AppendStringSize = StrSize (AppendString);
MultiStringSize = StrSize (*MultiString);
+ TotalSize = MultiStringSize + AppendStringSize;
+ MaxLen = MultiStringMaxSize / sizeof (CHAR16);

//
// Enlarge the buffer each time when length exceeds MAX_STRING_LENGTH.
//
- if (MultiStringSize + AppendStringSize > MAX_STRING_LENGTH ||
+ if (TotalSize > MAX_STRING_LENGTH ||
MultiStringSize > MAX_STRING_LENGTH) {
*MultiString = (EFI_STRING) ReallocatePool (
MultiStringSize,
- MultiStringSize + AppendStringSize,
+ TotalSize,
(VOID *) (*MultiString)
);
+ MaxLen = TotalSize / sizeof (CHAR16);
ASSERT (*MultiString != NULL);
}
//
// Append the incoming string
//
- StrCat (*MultiString, AppendString);
+ StrCatS (*MultiString, MaxLen, AppendString);

return EFI_SUCCESS;
}


@@ -534,10 +539,12 @@ MergeDefaultString (
CHAR16 TempChar;
EFI_STRING StringPtr;
EFI_STRING AltConfigHdr;
UINTN HeaderLength;
UINTN SizeAltCfgResp;
+ UINTN MaxLen;
+ UINTN TotalSize;

if (*AltCfgResp == NULL) {
return EFI_INVALID_PARAMETER;
}

@@ -570,61 +577,63 @@ MergeDefaultString (

//
// Construct AltConfigHdr string "&<ConfigHdr>&ALTCFG=XXXX\0"
// |1| StrLen (ConfigHdr) | 8 | 4 | 1 |
//
- AltConfigHdr = AllocateZeroPool ((1 + HeaderLength + 8 + 4 + 1) * sizeof (CHAR16));
+ MaxLen = 1 + HeaderLength + 8 + 4 + 1;
+ AltConfigHdr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
if (AltConfigHdr == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- StrCpy (AltConfigHdr, L"&");
- StrnCat (AltConfigHdr, *AltCfgResp, HeaderLength);
- StrCat (AltConfigHdr, L"&ALTCFG=");
+ StrCpyS (AltConfigHdr, MaxLen, L"&");
+ StrnCatS (AltConfigHdr, MaxLen, *AltCfgResp, HeaderLength);
+ StrCatS (AltConfigHdr, MaxLen, L"&ALTCFG=");
HeaderLength = StrLen (AltConfigHdr);

StringPtrDefault = StrStr (DefaultAltCfgResp, AltConfigHdr);
while (StringPtrDefault != NULL) {
//
// Get AltCfg Name
//
- StrnCat (AltConfigHdr, StringPtrDefault + HeaderLength, 4);
+ StrnCatS (AltConfigHdr, MaxLen, StringPtrDefault + HeaderLength, 4);
StringPtr = StrStr (*AltCfgResp, AltConfigHdr);

//
// Append the found default value string to the input AltCfgResp
//
if (StringPtr == NULL) {
StringPtrEnd = StrStr (StringPtrDefault + 1, L"&GUID");
SizeAltCfgResp = StrSize (*AltCfgResp);
+ TotalSize = SizeAltCfgResp + StrSize (StringPtrDefault);
if (StringPtrEnd == NULL) {
//
// No more default string is found.
//
*AltCfgResp = (EFI_STRING) ReallocatePool (
SizeAltCfgResp,
- SizeAltCfgResp + StrSize (StringPtrDefault),
+ TotalSize,
(VOID *) (*AltCfgResp)
);
if (*AltCfgResp == NULL) {
FreePool (AltConfigHdr);
return EFI_OUT_OF_RESOURCES;
}
- StrCat (*AltCfgResp, StringPtrDefault);
+ StrCatS (*AltCfgResp, TotalSize / sizeof (CHAR16), StringPtrDefault);
break;
} else {
TempChar = *StringPtrEnd;
*StringPtrEnd = L'\0';
*AltCfgResp = (EFI_STRING) ReallocatePool (
SizeAltCfgResp,
- SizeAltCfgResp + StrSize (StringPtrDefault),
+ TotalSize,
(VOID *) (*AltCfgResp)
);
if (*AltCfgResp == NULL) {
FreePool (AltConfigHdr);
return EFI_OUT_OF_RESOURCES;
}
- StrCat (*AltCfgResp, StringPtrDefault);
+ StrCatS (*AltCfgResp, TotalSize / sizeof (CHAR16), StringPtrDefault);
*StringPtrEnd = TempChar;
}
}

//
@@ -1186,12 +1195,12 @@ GetVarStoreType (
FreePool (NameStr);
FreePool (VarStoreName);
Status = EFI_OUT_OF_RESOURCES;
goto Done;
}
- StrCpy (TempStr, GuidStr);
- StrCat (TempStr, NameStr);
+ StrCpyS (TempStr, LengthString, GuidStr);
+ StrCatS (TempStr, LengthString, NameStr);
if (ConfigHdr == NULL || StrnCmp (ConfigHdr, TempStr, StrLen (TempStr)) == 0) {
*EfiVarStore = (EFI_IFR_VARSTORE_EFI *) AllocateZeroPool (IfrOpHdr->Length);
if (*EfiVarStore == NULL) {
FreePool (VarStoreName);
FreePool (GuidStr);
@@ -1302,12 +1311,12 @@ IsThisVarstore (
TempStr = AllocateZeroPool (LengthString * sizeof (CHAR16));
if (TempStr == NULL) {
goto Done;
}

- StrCpy (TempStr, GuidStr);
- StrCat (TempStr, NameStr);
+ StrCpyS (TempStr, LengthString, GuidStr);
+ StrCatS (TempStr, LengthString, NameStr);

if (ConfigHdr == NULL || StrnCmp (ConfigHdr, TempStr, StrLen (TempStr)) == 0) {
RetVal = TRUE;
}

@@ -2664,11 +2673,11 @@ GenerateConfigRequest (
StringPtr = FullConfigRequest;

//
// Start with <ConfigHdr>
//
- StrCpy (StringPtr, ConfigHdr);
+ StrCpyS (StringPtr, Length, ConfigHdr);
StringPtr += StrLen (StringPtr);

//
// Loop through all the Offset/Width pairs and append them to ConfigRequest
//
@@ -2763,16 +2772,16 @@ GenerateHdr (
*ConfigHdr = AllocateZeroPool (Length * sizeof (CHAR16));
if (*ConfigHdr == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Done;
}
- StrCpy (*ConfigHdr, GuidStr);
- StrCat (*ConfigHdr, NameStr);
+ StrCpyS (*ConfigHdr, Length, GuidStr);
+ StrCatS (*ConfigHdr, Length, NameStr);
if (VarStorageData->Name == NULL) {
- StrCat (*ConfigHdr, L"&");
+ StrCatS (*ConfigHdr, Length, L"&");
}
- StrCat (*ConfigHdr, PathStr);
+ StrCatS (*ConfigHdr, Length, PathStr);

//
// Remove the last character L'&'
//
*(*ConfigHdr + StrLen (*ConfigHdr) - 1) = L'\0';
@@ -2932,11 +2941,11 @@ GenerateAltConfigResp (
StringPtr = *DefaultAltCfgResp;

//
// Start with <ConfigHdr>
//
- StrCpy (StringPtr, ConfigHdr);
+ StrCpyS (StringPtr, Length, ConfigHdr);
StringPtr += StrLen (StringPtr);

for (Link = DefaultIdArray->Entry.ForwardLink; Link != &DefaultIdArray->Entry; Link = Link->ForwardLink) {
DefaultId = BASE_CR (Link, IFR_DEFAULT_DATA, Entry);
//
@@ -3903,15 +3912,15 @@ HiiConfigRoutingExtractConfig (
DefaultResults = NULL;
}

NextConfigString:
if (!FirstElement) {
- Status = AppendToMultiString (Results, L"&");
+ Status = AppendToMultiString (Results, MAX_STRING_LENGTH, L"&");
ASSERT_EFI_ERROR (Status);
}

- Status = AppendToMultiString (Results, AccessResults);
+ Status = AppendToMultiString (Results, MAX_STRING_LENGTH, AccessResults);
ASSERT_EFI_ERROR (Status);

FirstElement = FALSE;

FreePool (AccessResults);
@@ -4135,15 +4144,15 @@ HiiConfigRoutingExportConfig (
//
// Attach this <ConfigAltResp> to a <MultiConfigAltResp>. There is a '&'
// which seperates the first <ConfigAltResp> and the following ones.
//
if (!FirstElement) {
- Status = AppendToMultiString (Results, L"&");
+ Status = AppendToMultiString (Results, MAX_STRING_LENGTH, L"&");
ASSERT_EFI_ERROR (Status);
}

- Status = AppendToMultiString (Results, AccessResults);
+ Status = AppendToMultiString (Results, MAX_STRING_LENGTH, AccessResults);
ASSERT_EFI_ERROR (Status);

FirstElement = FALSE;

FreePool (AccessResults);
@@ -4484,11 +4493,11 @@ HiiBlockToConfig (
StringPtr++;
}
if (*StringPtr == 0) {
*Progress = StringPtr;

- AppendToMultiString(Config, ConfigRequest);
+ AppendToMultiString(Config, MAX_STRING_LENGTH, ConfigRequest);
HiiToLower (*Config);

return EFI_SUCCESS;
}
//
@@ -4499,11 +4508,11 @@ HiiBlockToConfig (
//
// Copy <ConfigHdr> and an additional '&' to <ConfigResp>
//
TemChar = *StringPtr;
*StringPtr = '\0';
- AppendToMultiString(Config, ConfigRequest);
+ AppendToMultiString(Config, MAX_STRING_LENGTH, ConfigRequest);
*StringPtr = TemChar;

//
// Parse each <RequestElement> if exists
// Only <BlockName> format is supported by this help function.
@@ -4610,14 +4619,14 @@ HiiBlockToConfig (
CopyMem (ConfigElement, TmpPtr, (StringPtr - TmpPtr + 1) * sizeof (CHAR16));
if (*StringPtr == 0) {
*(ConfigElement + (StringPtr - TmpPtr)) = L'&';
}
*(ConfigElement + (StringPtr - TmpPtr) + 1) = 0;
- StrCat (ConfigElement, L"VALUE=");
- StrCat (ConfigElement, ValueStr);
+ StrCatS (ConfigElement, Length, L"VALUE=");
+ StrCatS (ConfigElement, Length, ValueStr);

- AppendToMultiString (Config, ConfigElement);
+ AppendToMultiString (Config, MAX_STRING_LENGTH, ConfigElement);

FreePool (ConfigElement);
FreePool (ValueStr);
ConfigElement = NULL;
ValueStr = NULL;
@@ -4626,11 +4635,11 @@ HiiBlockToConfig (
// If '\0', parsing is finished. Otherwise skip '&' to continue
//
if (*StringPtr == 0) {
break;
}
- AppendToMultiString (Config, L"&");
+ AppendToMultiString (Config, MAX_STRING_LENGTH, L"&");
StringPtr++;

}

if (*StringPtr != 0) {
@@ -5128,12 +5137,12 @@ Exit:
Length = HdrEnd - HdrStart + StrLen (Result) + 1;
*AltCfgResp = AllocateZeroPool (Length * sizeof (CHAR16));
if (*AltCfgResp == NULL) {
Status = EFI_OUT_OF_RESOURCES;
} else {
- StrnCpy (*AltCfgResp, HdrStart, HdrEnd - HdrStart);
- StrCat (*AltCfgResp, Result);
+ StrnCpyS (*AltCfgResp, Length, HdrStart, HdrEnd - HdrStart);
+ StrCatS (*AltCfgResp, Length, Result);
Status = EFI_SUCCESS;
}
}

if (GuidStr != NULL) {
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
index 70c0385..7ea2e72 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
@@ -1,9 +1,9 @@
/** @file
Implementation for EFI_HII_DATABASE_PROTOCOL.

-Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php

@@ -796,11 +796,11 @@ InsertStringPackage (
LanguageSize = HeaderSize - sizeof (EFI_HII_STRING_PACKAGE_HDR) + sizeof (CHAR8);
Language = (CHAR8 *) AllocateZeroPool (LanguageSize);
if (Language == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- AsciiStrCpy (Language, (CHAR8 *) PackageHdr + HeaderSize - LanguageSize);
+ AsciiStrCpyS (Language, LanguageSize / sizeof (CHAR8), (CHAR8 *) PackageHdr + HeaderSize - LanguageSize);
for (Link = PackageList->StringPkgHdr.ForwardLink; Link != &PackageList->StringPkgHdr; Link = Link->ForwardLink) {
StringPackage = CR (Link, HII_STRING_PACKAGE_INSTANCE, StringEntry, HII_STRING_PACKAGE_SIGNATURE);
if (HiiCompareLanguage (Language, StringPackage->StringPkgHdr->Language)) {
FreePool (Language);
return EFI_UNSUPPORTED;
@@ -1180,11 +1180,11 @@ InsertFontPackage (
Status = EFI_OUT_OF_RESOURCES;
goto Error;
}
FontInfo->FontStyle = FontPkgHdr->FontStyle;
FontInfo->FontSize = FontPkgHdr->Cell.Height;
- StrCpy (FontInfo->FontName, FontPkgHdr->FontFamily);
+ StrCpyS (FontInfo->FontName, sizeof (FontInfo->FontName) / sizeof (CHAR16), FontPkgHdr->FontFamily);

if (IsFontInfoExisted (Private, FontInfo, NULL, NULL, NULL)) {
Status = EFI_UNSUPPORTED;
goto Error;
}
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Font.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Font.c
index 61e50c4..4b70b99 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Font.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Font.c
@@ -1,10 +1,10 @@
/** @file
Implementation for EFI_HII_FONT_PROTOCOL.


-Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php

@@ -931,20 +931,22 @@ SaveFontName (
IN EFI_STRING FontName,
OUT EFI_FONT_INFO **FontInfo
)
{
UINTN FontInfoLen;
+ UINTN NameSize;

ASSERT (FontName != NULL && FontInfo != NULL);

- FontInfoLen = sizeof (EFI_FONT_INFO) - sizeof (CHAR16) + StrSize (FontName);
+ NameSize = StrSize (FontName);
+ FontInfoLen = sizeof (EFI_FONT_INFO) - sizeof (CHAR16) + NameSize;
*FontInfo = (EFI_FONT_INFO *) AllocateZeroPool (FontInfoLen);
if (*FontInfo == NULL) {
return EFI_OUT_OF_RESOURCES;
}

- StrCpy ((*FontInfo)->FontName, FontName);
+ StrCpyS ((*FontInfo)->FontName, NameSize / sizeof (CHAR16), FontName);
return EFI_SUCCESS;
}


/**
@@ -969,10 +971,11 @@ GetSystemFont (
OUT UINTN *FontInfoSize OPTIONAL
)
{
EFI_FONT_DISPLAY_INFO *Info;
UINTN InfoSize;
+ UINTN NameSize;

if (Private == NULL || Private->Signature != HII_DATABASE_PRIVATE_DATA_SIGNATURE) {
return EFI_INVALID_PARAMETER;
}
if (FontInfo == NULL) {
@@ -980,22 +983,23 @@ GetSystemFont (
}

//
// The standard font always has the name "sysdefault".
//
- InfoSize = sizeof (EFI_FONT_DISPLAY_INFO) - sizeof (CHAR16) + StrSize (L"sysdefault");
+ NameSize = StrSize (L"sysdefault");
+ InfoSize = sizeof (EFI_FONT_DISPLAY_INFO) - sizeof (CHAR16) + NameSize;
Info = (EFI_FONT_DISPLAY_INFO *) AllocateZeroPool (InfoSize);
if (Info == NULL) {
return EFI_OUT_OF_RESOURCES;
}

Info->ForegroundColor = mHiiEfiColors[Private->Attribute & 0x0f];
Info->BackgroundColor = mHiiEfiColors[Private->Attribute >> 4];
Info->FontInfoMask = EFI_FONT_INFO_SYS_FONT | EFI_FONT_INFO_SYS_SIZE | EFI_FONT_INFO_SYS_STYLE;
Info->FontInfo.FontStyle = 0;
Info->FontInfo.FontSize = EFI_GLYPH_HEIGHT;
- StrCpy (Info->FontInfo.FontName, L"sysdefault");
+ StrCpyS (Info->FontInfo.FontName, NameSize / sizeof (CHAR16), L"sysdefault");

*FontInfo = Info;
if (FontInfoSize != NULL) {
*FontInfoSize = InfoSize;
}
@@ -2308,10 +2312,11 @@ HiiStringIdToImage (
HII_DATABASE_PRIVATE_DATA *Private;
EFI_HII_STRING_PROTOCOL *HiiString;
EFI_STRING String;
UINTN StringSize;
UINTN FontLen;
+ UINTN NameSize;
EFI_FONT_INFO *StringFontInfo;
EFI_FONT_DISPLAY_INFO *NewStringInfo;
CHAR8 TempSupportedLanguages;
CHAR8 *SupportedLanguages;
UINTN SupportedLanguagesSize;
@@ -2430,20 +2435,21 @@ HiiStringIdToImage (
// When StringInfo specifies that string will be output in the system default font and color,
// use particular stringfontinfo described in string package instead if exists.
// StringFontInfo equals NULL means system default font attaches with the string block.
//
if (StringFontInfo != NULL && IsSystemFontInfo (Private, (EFI_FONT_DISPLAY_INFO *) StringInfo, NULL, NULL)) {
- FontLen = sizeof (EFI_FONT_DISPLAY_INFO) - sizeof (CHAR16) + StrSize (StringFontInfo->FontName);
+ NameSize = StrSize (StringFontInfo->FontName);
+ FontLen = sizeof (EFI_FONT_DISPLAY_INFO) - sizeof (CHAR16) + NameSize;
NewStringInfo = AllocateZeroPool (FontLen);
if (NewStringInfo == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
}
NewStringInfo->FontInfoMask = EFI_FONT_INFO_SYS_FORE_COLOR | EFI_FONT_INFO_SYS_BACK_COLOR;
NewStringInfo->FontInfo.FontStyle = StringFontInfo->FontStyle;
NewStringInfo->FontInfo.FontSize = StringFontInfo->FontSize;
- StrCpy (NewStringInfo->FontInfo.FontName, StringFontInfo->FontName);
+ StrCpyS (NewStringInfo->FontInfo.FontName, NameSize / sizeof (CHAR16), StringFontInfo->FontName);

Status = HiiStringToImage (
This,
Flags,
String,
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
index 7698cc2..a832486 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
@@ -1331,11 +1331,11 @@ HiiNewString (
StringPackage->StringPkgHdr->Header.Type = EFI_HII_PACKAGE_STRINGS;
StringPackage->StringPkgHdr->HdrSize = HeaderSize;
StringPackage->StringPkgHdr->StringInfoOffset = HeaderSize;
CopyMem (StringPackage->StringPkgHdr->LanguageWindow, mLanguageWindow, 16 * sizeof (CHAR16));
StringPackage->StringPkgHdr->LanguageName = 1;
- AsciiStrCpy (StringPackage->StringPkgHdr->Language, (CHAR8 *) Language);
+ AsciiStrCpyS (StringPackage->StringPkgHdr->Language, sizeof(StringPackage->StringPkgHdr->Language) / sizeof (CHAR8), (CHAR8 *) Language);

//
// Calculate the length of the string blocks, including string block to record
// printable language full name and EFI_HII_SIBT_END_BLOCK.
//
@@ -1840,11 +1840,11 @@ HiiGetLanguages (
//
continue;
}
ResultSize += AsciiStrSize (StringPackage->StringPkgHdr->Language);
if (ResultSize <= *LanguagesSize) {
- AsciiStrCpy (Languages, StringPackage->StringPkgHdr->Language);
+ AsciiStrCpyS (Languages, *LanguagesSize / sizeof (CHAR8), StringPackage->StringPkgHdr->Language);
Languages += AsciiStrSize (StringPackage->StringPkgHdr->Language);
*(Languages - 1) = L';';
}
}
if (ResultSize == 0) {
@@ -1957,11 +1957,11 @@ HiiGetSecondaryLanguages (
}
Languages++;

ResultSize = AsciiStrSize (Languages);
if (ResultSize <= *SecondaryLanguagesSize) {
- AsciiStrCpy (SecondaryLanguages, Languages);
+ AsciiStrCpyS (SecondaryLanguages, *SecondaryLanguagesSize / sizeof (CHAR8), Languages);
} else {
*SecondaryLanguagesSize = ResultSize;
return EFI_BUFFER_TOO_SMALL;
}

@@ -2022,17 +2022,17 @@ HiiCompareLanguage (
// Convert to lower to compare.
//
StrLen = AsciiStrSize (Language1);
Lan1 = AllocateZeroPool (StrLen);
ASSERT (Lan1 != NULL);
- AsciiStrCpy(Lan1, Language1);
+ AsciiStrCpyS(Lan1, StrLen / sizeof (CHAR8), Language1);
AsciiHiiToLower (Lan1);

StrLen = AsciiStrSize (Language2);
Lan2 = AllocateZeroPool (StrLen);
ASSERT (Lan2 != NULL);
- AsciiStrCpy(Lan2, Language2);
+ AsciiStrCpyS(Lan2, StrLen / sizeof (CHAR8), Language2);
AsciiHiiToLower (Lan2);

//
// Compare the Primary Language in Language1 to Language2
//
diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c b/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c
index f1a65b2..688a1d6 100644
--- a/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c
@@ -1322,10 +1322,11 @@ IfrCatenate (
CHAR16 *StringPtr;
UINTN Size;
UINT16 Length0;
UINT16 Length1;
UINT8 *TmpBuf;
+ UINTN MaxLen;

//
// String[0] - The second string
// String[1] - The first string
//
@@ -1361,14 +1362,15 @@ IfrCatenate (
}
}

if (Value[0].Type == EFI_IFR_TYPE_STRING) {
Size = StrSize (String[0]);
- StringPtr= AllocatePool (StrSize (String[1]) + Size);
+ MaxLen = (StrSize (String[1]) + Size) / sizeof (CHAR16);
+ StringPtr= AllocatePool (MaxLen * sizeof (CHAR16));
ASSERT (StringPtr != NULL);
- StrCpy (StringPtr, String[1]);
- StrCat (StringPtr, String[0]);
+ StrCpyS (StringPtr, MaxLen, String[1]);
+ StrCatS (StringPtr, MaxLen, String[0]);

Result->Type = EFI_IFR_TYPE_STRING;
Result->Value.string = NewString (StringPtr, FormSet->HiiHandle);
} else {
Result->Type = EFI_IFR_TYPE_BUFFER;
diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c b/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c
index 4540560..953e3a5 100644
--- a/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c
@@ -686,10 +686,11 @@ InitializeRequestElement (
CHAR16 *NewStr;
CHAR16 RequestElement[30];
LIST_ENTRY *Link;
BOOLEAN Find;
FORM_BROWSER_CONFIG_REQUEST *ConfigInfo;
+ UINTN MaxLen;

Storage = Question->Storage;
if (Storage == NULL) {
return EFI_INVALID_PARAMETER;
}
@@ -730,30 +731,32 @@ InitializeRequestElement (
//
// Find Formset Storage for this Question
//
FormsetStorage = GetFstStgFromVarId(FormSet, Question->VarStoreId);
ASSERT (FormsetStorage != NULL);
+ StringSize = (FormsetStorage->ConfigRequest != NULL) ? StrSize (FormsetStorage->ConfigRequest) : sizeof (CHAR16);
+ MaxLen = StringSize / sizeof (CHAR16) + FormsetStorage->SpareStrLen;

//
// Append <RequestElement> to <ConfigRequest>
//
if (StrLen > FormsetStorage->SpareStrLen) {
//
// Old String buffer is not sufficient for RequestElement, allocate a new one
//
- StringSize = (FormsetStorage->ConfigRequest != NULL) ? StrSize (FormsetStorage->ConfigRequest) : sizeof (CHAR16);
- NewStr = AllocateZeroPool (StringSize + CONFIG_REQUEST_STRING_INCREMENTAL * sizeof (CHAR16));
+ MaxLen = StringSize / sizeof (CHAR16) + CONFIG_REQUEST_STRING_INCREMENTAL;
+ NewStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (NewStr != NULL);
if (FormsetStorage->ConfigRequest != NULL) {
CopyMem (NewStr, FormsetStorage->ConfigRequest, StringSize);
FreePool (FormsetStorage->ConfigRequest);
}
FormsetStorage->ConfigRequest = NewStr;
FormsetStorage->SpareStrLen = CONFIG_REQUEST_STRING_INCREMENTAL;
}

- StrCat (FormsetStorage->ConfigRequest, RequestElement);
+ StrCatS (FormsetStorage->ConfigRequest, MaxLen, RequestElement);
FormsetStorage->ElementCount++;
FormsetStorage->SpareStrLen -= StrLen;

//
// Update the Config Request info saved in the form.
@@ -780,30 +783,32 @@ InitializeRequestElement (
ASSERT (ConfigInfo->ConfigRequest != NULL);
ConfigInfo->SpareStrLen = 0;
ConfigInfo->Storage = FormsetStorage->BrowserStorage;
InsertTailList(&Form->ConfigRequestHead, &ConfigInfo->Link);
}
+ StringSize = (ConfigInfo->ConfigRequest != NULL) ? StrSize (ConfigInfo->ConfigRequest) : sizeof (CHAR16);
+ MaxLen = StringSize / sizeof (CHAR16) + ConfigInfo->SpareStrLen;

//
// Append <RequestElement> to <ConfigRequest>
//
if (StrLen > ConfigInfo->SpareStrLen) {
//
// Old String buffer is not sufficient for RequestElement, allocate a new one
//
- StringSize = (ConfigInfo->ConfigRequest != NULL) ? StrSize (ConfigInfo->ConfigRequest) : sizeof (CHAR16);
- NewStr = AllocateZeroPool (StringSize + CONFIG_REQUEST_STRING_INCREMENTAL * sizeof (CHAR16));
+ MaxLen = StringSize / sizeof (CHAR16) + CONFIG_REQUEST_STRING_INCREMENTAL;
+ NewStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (NewStr != NULL);
if (ConfigInfo->ConfigRequest != NULL) {
CopyMem (NewStr, ConfigInfo->ConfigRequest, StringSize);
FreePool (ConfigInfo->ConfigRequest);
}
ConfigInfo->ConfigRequest = NewStr;
ConfigInfo->SpareStrLen = CONFIG_REQUEST_STRING_INCREMENTAL;
}

- StrCat (ConfigInfo->ConfigRequest, RequestElement);
+ StrCatS (ConfigInfo->ConfigRequest, MaxLen, RequestElement);
ConfigInfo->ElementCount++;
ConfigInfo->SpareStrLen -= StrLen;
return EFI_SUCCESS;
}

diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Setup.c b/MdeModulePkg/Universal/SetupBrowserDxe/Setup.c
index 4d28617..41af7b5 100644
--- a/MdeModulePkg/Universal/SetupBrowserDxe/Setup.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/Setup.c
@@ -633,10 +633,11 @@ ProcessStorage (
CHAR16 *ConfigResp;
EFI_STATUS Status;
CHAR16 *StrPtr;
UINTN BufferSize;
UINTN TmpSize;
+ UINTN MaxLen;
FORMSET_STORAGE *BrowserStorage;

if (RetrieveData) {
//
// Generate <ConfigResp>
@@ -658,11 +659,11 @@ ProcessStorage (

//
// Copy the data if the input buffer is bigger enough.
//
if (*ResultsDataSize >= BufferSize) {
- StrCpy (*ResultsData, StrPtr);
+ StrCpyS (*ResultsData, *ResultsDataSize / sizeof (CHAR16), StrPtr);
}

*ResultsDataSize = BufferSize;
FreePool (ConfigResp);
} else {
@@ -671,16 +672,17 @@ ProcessStorage (
//
BrowserStorage = GetFstStgFromBrsStg (Storage);
ASSERT (BrowserStorage != NULL);
TmpSize = StrLen (*ResultsData);
BufferSize = (TmpSize + StrLen (BrowserStorage->ConfigHdr) + 2) * sizeof (CHAR16);
+ MaxLen = BufferSize / sizeof (CHAR16);
ConfigResp = AllocateZeroPool (BufferSize);
ASSERT (ConfigResp != NULL);

- StrCpy (ConfigResp, BrowserStorage->ConfigHdr);
- StrCat (ConfigResp, L"&");
- StrCat (ConfigResp, *ResultsData);
+ StrCpyS (ConfigResp, MaxLen, BrowserStorage->ConfigHdr);
+ StrCatS (ConfigResp, MaxLen, L"&");
+ StrCatS (ConfigResp, MaxLen, *ResultsData);

//
// Update Browser uncommited data
//
Status = ConfigRespToStorage (Storage, ConfigResp);
@@ -1077,23 +1079,23 @@ NewStringCat (
IN OUT CHAR16 **Dest,
IN CHAR16 *Src
)
{
CHAR16 *NewString;
- UINTN TmpSize;
+ UINTN MaxLen;

if (*Dest == NULL) {
NewStringCpy (Dest, Src);
return;
}

- TmpSize = StrSize (*Dest);
- NewString = AllocateZeroPool (TmpSize + StrSize (Src) - 1);
+ MaxLen = ( StrSize (*Dest) + StrSize (Src) - 1) / sizeof (CHAR16);
+ NewString = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (NewString != NULL);

- StrCpy (NewString, *Dest);
- StrCat (NewString, Src);
+ StrCpyS (NewString, MaxLen, *Dest);
+ StrCatS (NewString, MaxLen, Src);

FreePool (*Dest);
*Dest = NewString;
}

@@ -1439,11 +1441,11 @@ BufferToValue (
Status = EFI_BUFFER_TOO_SMALL;
} else {
DstBuf = (CHAR16 *) Dst;
ZeroMem (TemStr, sizeof (TemStr));
for (Index = 0; Index < LengthStr; Index += 4) {
- StrnCpy (TemStr, Value + Index, 4);
+ StrnCpyS (TemStr, sizeof (TemStr) / sizeof (CHAR16), Value + Index, 4);
DstBuf[Index/4] = (CHAR16) StrHexToUint64 (TemStr);
}
//
// Add tailing L'\0' character
//
@@ -1693,19 +1695,21 @@ GetQuestionValue (
Length += StrLen (Question->BlockName);
} else {
Length = StrLen (FormsetStorage->ConfigHdr);
Length += StrLen (Question->VariableName) + 1;
}
- ConfigRequest = AllocateZeroPool ((Length + 1) * sizeof (CHAR16));
+ // Allocate buffer include '\0'
+ Length += 1;
+ ConfigRequest = AllocateZeroPool (Length * sizeof (CHAR16));
ASSERT (ConfigRequest != NULL);

- StrCpy (ConfigRequest, FormsetStorage->ConfigHdr);
+ StrCpyS (ConfigRequest, Length, FormsetStorage->ConfigHdr);
if (IsBufferStorage) {
- StrCat (ConfigRequest, Question->BlockName);
+ StrCatS (ConfigRequest, Length, Question->BlockName);
} else {
- StrCat (ConfigRequest, L"&");
- StrCat (ConfigRequest, Question->VariableName);
+ StrCatS (ConfigRequest, Length, L"&");
+ StrCatS (ConfigRequest, Length, Question->VariableName);
}

//
// Request current settings from Configuration Driver
//
@@ -1807,10 +1811,11 @@ SetQuestionValue (
UINT8 *TemBuffer;
CHAR16 *TemName;
CHAR16 *TemString;
UINTN Index;
NAME_VALUE_NODE *Node;
+ UINTN MaxLen;

Status = EFI_SUCCESS;
Node = NULL;

if (SetValueTo >= GetSetValueWithMax) {
@@ -1991,21 +1996,22 @@ SetQuestionValue (
} else {
Length += (StorageWidth * 2);
}
FormsetStorage = GetFstStgFromVarId(FormSet, Question->VarStoreId);
ASSERT (FormsetStorage != NULL);
- ConfigResp = AllocateZeroPool ((StrLen (FormsetStorage->ConfigHdr) + Length + 1) * sizeof (CHAR16));
+ MaxLen = StrLen (FormsetStorage->ConfigHdr) + Length + 1;
+ ConfigResp = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (ConfigResp != NULL);

- StrCpy (ConfigResp, FormsetStorage->ConfigHdr);
+ StrCpyS (ConfigResp, MaxLen, FormsetStorage->ConfigHdr);
if (IsBufferStorage) {
- StrCat (ConfigResp, Question->BlockName);
- StrCat (ConfigResp, L"&VALUE=");
+ StrCatS (ConfigResp, MaxLen, Question->BlockName);
+ StrCatS (ConfigResp, MaxLen, L"&VALUE=");
} else {
- StrCat (ConfigResp, L"&");
- StrCat (ConfigResp, Question->VariableName);
- StrCat (ConfigResp, L"=");
+ StrCatS (ConfigResp, MaxLen, L"&");
+ StrCatS (ConfigResp, MaxLen, Question->VariableName);
+ StrCatS (ConfigResp, MaxLen, L"=");
}

Value = ConfigResp + StrLen (ConfigResp);

if (!IsBufferStorage && IsString) {
@@ -4876,33 +4882,36 @@ AppendConfigRequest (
)
{
CHAR16 *NewStr;
UINTN StringSize;
UINTN StrLength;
+ UINTN MaxLen;

StrLength = StrLen (RequestElement);
+ StringSize = (*ConfigRequest != NULL) ? StrSize (*ConfigRequest) : sizeof (CHAR16);
+ MaxLen = StringSize / sizeof (CHAR16) + *SpareStrLen;

//
// Append <RequestElement> to <ConfigRequest>
//
if (StrLength > *SpareStrLen) {
//
// Old String buffer is not sufficient for RequestElement, allocate a new one
//
- StringSize = (*ConfigRequest != NULL) ? StrSize (*ConfigRequest) : sizeof (CHAR16);
- NewStr = AllocateZeroPool (StringSize + CONFIG_REQUEST_STRING_INCREMENTAL * sizeof (CHAR16));
+ MaxLen = StringSize / sizeof (CHAR16) + CONFIG_REQUEST_STRING_INCREMENTAL;
+ NewStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (NewStr != NULL);

if (*ConfigRequest != NULL) {
CopyMem (NewStr, *ConfigRequest, StringSize);
FreePool (*ConfigRequest);
}
*ConfigRequest = NewStr;
*SpareStrLen = CONFIG_REQUEST_STRING_INCREMENTAL;
}

- StrCat (*ConfigRequest, RequestElement);
+ StrCatS (*ConfigRequest, MaxLen, RequestElement);
*SpareStrLen -= StrLength;
}

/**
Adjust the config request info, remove the request elements which already in AllConfigRequest string.
--
1.9.5.msysgit.1