From ea38ab3696c1a998cc847d40b77daf2922e8869e Mon Sep 17 00:00:00 2001 From: yeggor Date: Fri, 17 Mar 2023 02:17:29 +0400 Subject: [PATCH] Fix nullptr deref, OOB access to volumeHeader and tempHeader by checking volumeHeader->HeaderLength --- common/ffsparser.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common/ffsparser.cpp b/common/ffsparser.cpp index 3a6b4d6..d5c6e73 100644 --- a/common/ffsparser.cpp +++ b/common/ffsparser.cpp @@ -1123,6 +1123,11 @@ USTATUS FfsParser::parseVolumeHeader(const UByteArray & volume, const UINT32 loc // Check header checksum by recalculating it bool msgInvalidChecksum = false; + + if (volumeHeader->HeaderLength < sizeof(EFI_FIRMWARE_VOLUME_HEADER)) { + msg(usprintf("%s: input volume header length %Xh (%u) is smaller than volume header size", __FUNCTION__, (UINT32)volumeHeader->HeaderLength, (UINT32)volumeHeader->HeaderLength)); + return U_INVALID_VOLUME; + } UByteArray tempHeader((const char*)volumeHeader, volumeHeader->HeaderLength); ((EFI_FIRMWARE_VOLUME_HEADER*)tempHeader.data())->Checksum = 0; UINT16 calculated = calculateChecksum16((const UINT16*)tempHeader.constData(), volumeHeader->HeaderLength);