REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1255
For function ReadFile():
If the line
Status = GetAedAdsData (
...
);
is reached multiple times during the 'for' loop, freeing the data pointed
by variable 'Data' may potentially lead to variable 'Ad' referencing the
already-freed data.
After calling function GetAllocationDescriptor(), 'Data' and 'Ad' may
point to the same memory (with some possible offset). Hence, this commit
will move the FreePool() call backwards to ensure the data will no longer
be used.
Cc: Paulo Alcantara <pa...@paulo.ac>
Cc: Ruiyu Ni <ruiyu...@intel.com>
Cc: Star Zeng <star.z...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a...@intel.com>
---
MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
index 7526de79b2..bf73ab4252 100644
--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
@@ -1044,6 +1044,7 @@ ReadFile (
EFI_STATUS Status;
UINT32 LogicalBlockSize;
VOID *Data;
+ VOID *DataBak;
UINT64 Length;
VOID *Ad;
UINT64 AdOffset;
@@ -1184,12 +1185,7 @@ ReadFile (
// Descriptor and its extents (ADs).
//
if (GET_EXTENT_FLAGS (RecordingFlags, Ad) == ExtentIsNextExtent) {
- if (!DoFreeAed) {
- DoFreeAed = TRUE;
- } else {
- FreePool (Data);
- }
-
+ DataBak = Data;
Status = GetAedAdsData (
BlockIo,
DiskIo,
@@ -1200,6 +1196,13 @@ ReadFile (
&Data,
&Length
);
+
+ if (!DoFreeAed) {
+ DoFreeAed = TRUE;
+ } else {
+ FreePool (DataBak);
+ }
+
if (EFI_ERROR (Status)) {
goto Error_Get_Aed;
}
--
2.12.0.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
