summaryrefslogtreecommitdiff
path: root/SecurityPkg/VariableAuthenticated/Pei/Variable.c
diff options
context:
space:
mode:
Diffstat (limited to 'SecurityPkg/VariableAuthenticated/Pei/Variable.c')
-rw-r--r--SecurityPkg/VariableAuthenticated/Pei/Variable.c22
1 files changed, 20 insertions, 2 deletions
diff --git a/SecurityPkg/VariableAuthenticated/Pei/Variable.c b/SecurityPkg/VariableAuthenticated/Pei/Variable.c
index 274feb31ac..7ead809a3b 100644
--- a/SecurityPkg/VariableAuthenticated/Pei/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/Pei/Variable.c
@@ -3,7 +3,7 @@
ReadOnly Varaiable2 PPI. These services operates the non-volatile
storage space.
-Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -546,14 +546,25 @@ GetVariableHeader (
EFI_HOB_GUID_TYPE *GuidHob;
UINTN PartialHeaderSize;
+ if (Variable == NULL) {
+ return FALSE;
+ }
+
//
// First assume variable header pointed by Variable is consecutive.
//
*VariableHeader = Variable;
- if ((Variable != NULL) && (StoreInfo->FtwLastWriteData != NULL)) {
+ if (StoreInfo->FtwLastWriteData != NULL) {
TargetAddress = StoreInfo->FtwLastWriteData->TargetAddress;
SpareAddress = StoreInfo->FtwLastWriteData->SpareAddress;
+ if (((UINTN) Variable > (UINTN) SpareAddress) &&
+ (((UINTN) Variable - (UINTN) SpareAddress + (UINTN) TargetAddress) >= (UINTN) GetEndPointer (StoreInfo->VariableStoreHeader))) {
+ //
+ // Reach the end of variable store.
+ //
+ return FALSE;
+ }
if (((UINTN) Variable < (UINTN) TargetAddress) && (((UINTN) Variable + sizeof (VARIABLE_HEADER)) > (UINTN) TargetAddress)) {
//
// Variable header pointed by Variable is inconsecutive,
@@ -575,6 +586,13 @@ GetVariableHeader (
CopyMem ((UINT8 *) *VariableHeader + PartialHeaderSize, (UINT8 *) (UINTN) SpareAddress, sizeof (VARIABLE_HEADER) - PartialHeaderSize);
}
}
+ } else {
+ if (Variable >= GetEndPointer (StoreInfo->VariableStoreHeader)) {
+ //
+ // Reach the end of variable store.
+ //
+ return FALSE;
+ }
}
return IsValidVariableHeader (*VariableHeader);
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-06 03:47:33 +0000