From 964bc13723b11830bea2f33eafe7048d2253bbbb Mon Sep 17 00:00:00 2001 From: Nikolaj Schlej Date: Fri, 21 Nov 2014 18:37:53 +0100 Subject: [PATCH] UEFITool 0.19.4 - solved a possible crash of EFI11/Tiano decompression routine --- Tiano/EfiTianoDecompress.c | 8 +++++++- ffsengine.cpp | 2 ++ uefitool.cpp | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Tiano/EfiTianoDecompress.c b/Tiano/EfiTianoDecompress.c index 2134b6c..9a3484c 100644 --- a/Tiano/EfiTianoDecompress.c +++ b/Tiano/EfiTianoDecompress.c @@ -681,6 +681,12 @@ Returns: (VOID) DataIdx = Sd->mOutBuf - DecodeP(Sd) - 1; + // Check to prevent possible heap corruption + if (DataIdx >= Sd->mOrigSize - BytesRemain) { + Sd->mBadTableFlag = 1; + return; + } + BytesRemain--; while ((INT16)(BytesRemain) >= 0) { Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; @@ -989,4 +995,4 @@ EFI_INVALID_PARAMETER - The source data is corrupted ScratchSize, 2 ); -} \ No newline at end of file +} diff --git a/ffsengine.cpp b/ffsengine.cpp index 19009fa..2ce9aae 100644 --- a/ffsengine.cpp +++ b/ffsengine.cpp @@ -2146,6 +2146,7 @@ UINT8 FfsEngine::decompress(const QByteArray & compressedData, const UINT8 compr scratch = new UINT8[scratchSize]; // Decompress section data + //TODO: separate EFI1.1 from Tiano another way // Try Tiano decompression first if (ERR_SUCCESS != TianoDecompress(data, dataSize, decompressed, decompressedSize, scratch, scratchSize)) { @@ -2153,6 +2154,7 @@ UINT8 FfsEngine::decompress(const QByteArray & compressedData, const UINT8 compr if (ERR_SUCCESS != EfiDecompress(data, dataSize, decompressed, decompressedSize, scratch, scratchSize)) { if (algorithm) *algorithm = COMPRESSION_ALGORITHM_UNKNOWN; + delete[] decompressed; delete[] scratch; return ERR_STANDARD_DECOMPRESSION_FAILED; diff --git a/uefitool.cpp b/uefitool.cpp index 6abb3f1..4e10a71 100644 --- a/uefitool.cpp +++ b/uefitool.cpp @@ -17,7 +17,7 @@ UEFITool::UEFITool(QWidget *parent) : QMainWindow(parent), ui(new Ui::UEFITool), -version(tr("0.19.3")) +version(tr("0.19.4")) { clipboard = QApplication::clipboard();