[PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy


houjingyi
 

From 0541928e66eb01802a855bbbae125ef0b02259d6 Mon Sep 17 00:00:00 2001
From: houjingyi233 <houjingyi647@...>
Date: Wed, 25 Jan 2023 22:11:31 +0800
Subject: [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy

It is possible that when the third argument of the memcpy is unequal
to the first argument of malloc will cause overflow, when +1 in malloc
cause int overflow malloc a very small size of memory and followed memcpy
will cause heap overflow.

Signed-off-by: houjingyi233 <houjingyi647@...>
---
 .../RedfishLib/edk2libredfish/src/redpath.c           | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c
index cf5ab85165..a1523938f7 100644
--- a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c
+++ b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c
@@ -175,6 +175,10 @@ parseNode (
     return;
   }
 
+  if ((opChars - index)+1 < opChars - index) {
+    return;
+  }
+
   node->next->propName = (char *)malloc ((opChars - index)+1);
   memcpy (node->next->propName, index, (opChars - index));
   node->next->propName[(opChars - index)] = 0;
@@ -189,6 +193,9 @@ parseNode (
     break;
   }
 
+  if (tmpIndex+1 < tmpIndex) {
+    return;
+  }
   node->next->op = (char *)malloc (tmpIndex+1);
   memcpy (node->next->op, opChars, tmpIndex);
   node->next->op[tmpIndex] = 0;
@@ -217,6 +224,10 @@ getStringTill (
     return strdup (string);
   }
 
+  if ((end-string)+1 < end-string) {
+    return;
+  }
+
   ret = (char *)malloc ((end-string)+1);
   memcpy (ret, string, (end-string));
   ret[(end-string)] = 0;
--
2.37.3

Join devel@edk2.groups.io to automatically receive all group messages.