This commit will resolve the issue brought by r17736.

Str = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);

The above using of AllocateCopyPool() will read contents out of the scope
of Str1. Potential risk for Str1 allocated at the boundary of memory
region.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <***@intel.com>
Reviewed-by: Qiu Shumin <***@intel.com>
Reviewed-by: Jeff Fan <***@intel.com>
---
IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
index 1519315..56bcfab 100644
--- a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
+++ b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
@@ -1096,12 +1096,13 @@ BOpt_AppendFileName (
Size1 = StrSize (Str1);
Size2 = StrSize (Str2);
MaxLen = (Size1 + Size2 + sizeof (CHAR16)) / sizeof (CHAR16);
- Str = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);
+ Str = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (Str != NULL);

TmpStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (TmpStr != NULL);

+ StrCatS (Str, MaxLen, Str1);
if (!((*Str == '\\') && (*(Str + 1) == 0))) {
StrCatS (Str, MaxLen, L"\\");
}

This commit will resolve the issue brought by r17733.

StringBuffer1 = AllocateCopyPool (
MAX_STRING_LEN * sizeof (CHAR16),
L"Configuration changed. Reset to apply it Now."
);

The above using of AllocateCopyPool() will read contents out of the scope
of the constant string. Potential risk for the constant string allocated
at the boundary of memory region.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <***@intel.com>
Reviewed-by: Qiu Shumin <***@intel.com>
Reviewed-by: Jeff Fan <***@intel.com>
---
.../Library/GenericBdsLib/BdsMisc.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c b/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c
index b5be631..24c1998 100644
--- a/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c
+++ b/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c
@@ -1127,16 +1127,20 @@ SetupResetReminder (
if (IsResetReminderFeatureEnable ()) {
if (IsResetRequired ()) {

- StringBuffer1 = AllocateCopyPool (
- MAX_STRING_LEN * sizeof (CHAR16),
- L"Configuration changed. Reset to apply it Now."
- );
+ StringBuffer1 = AllocateZeroPool (MAX_STRING_LEN * sizeof (CHAR16));
ASSERT (StringBuffer1 != NULL);
- StringBuffer2 = AllocateCopyPool (
- MAX_STRING_LEN * sizeof (CHAR16),
- L"Press ENTER to reset"
- );
+ StringBuffer2 = AllocateZeroPool (MAX_STRING_LEN * sizeof (CHAR16));
ASSERT (StringBuffer2 != NULL);
+ StrCpyS (
+ StringBuffer1,
+ MAX_STRING_LEN,
+ L"Configuration changed. Reset to apply it Now."
+ );
+ StrCpyS (
+ StringBuffer2,
+ MAX_STRING_LEN,
+ L"Press ENTER to reset"
+ );
//
// Popup a menu to notice user
//

This commit will resolve the issue brought by r17737.

HelpString = AllocateCopyPool (HelpSize, L"Device Path : ");

The above using of AllocateCopyPool() will read contents out of the scope
of the constant string. Potential risk for the constant string allocated
at the boundary of memory region.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <***@intel.com>
Reviewed-by: Qiu Shumin <***@intel.com>
Reviewed-by: Jeff Fan <***@intel.com>
---
IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c
index 978959d..6efd783 100644
--- a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c
+++ b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c
@@ -319,8 +319,9 @@ CallBootManager (

TempStr = DevicePathToStr (Option->DevicePath);
HelpSize = StrSize (TempStr) + StrSize (L"Device Path : ");
- HelpString = AllocateCopyPool (HelpSize, L"Device Path : ");
+ HelpString = AllocateZeroPool (HelpSize);
ASSERT (HelpString != NULL);
+ StrCatS (HelpString, HelpSize / sizeof (CHAR16), L"Device Path : ");
StrCatS (HelpString, HelpSize / sizeof (CHAR16), TempStr);

HelpToken = HiiSetString (HiiHandle, 0, HelpString, NULL);