https://git.reactos.org/?p=reactos.git;a=commitdiff;h=2811d2f990fdadef5697a… commit 2811d2f990fdadef5697ac3927688b7447fdf177 Author: Stanislav Motylkov <x86corez(a)gmail.com> AuthorDate: Wed Aug 7 13:06:37 2019 +0300 Commit: Hermès BÉLUSCA - MAÏTO <hermes.belusca-maito(a)reactos.org> CommitDate: Wed Aug 7 12:06:37 2019 +0200 [FREELDR] xboxmem: Fix array out-of-bounds access (#1775) Memory map array should be large enough to fit additional descriptors. CORE-16216 CORE-16267 --- boot/freeldr/freeldr/arch/i386/pcmem.c | 2 -- boot/freeldr/freeldr/arch/i386/xboxmem.c | 3 ++- boot/freeldr/freeldr/include/arch/pc/pcbios.h | 2 ++ 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/boot/freeldr/freeldr/arch/i386/pcmem.c b/boot/freeldr/freeldr/arch/i386/pcmem.c index 2add4d918bf..4dd709b247c 100644 --- a/boot/freeldr/freeldr/arch/i386/pcmem.c +++ b/boot/freeldr/freeldr/arch/i386/pcmem.c @@ -35,8 +35,6 @@ DBG_DEFAULT_CHANNEL(MEMORY); #define ULONGLONG_ALIGN_UP_BY(size, align) \ (ULONGLONG_ALIGN_DOWN_BY(((ULONGLONG)(size) + align - 1), align)) -#define MAX_BIOS_DESCRIPTORS 80ul - BIOS_MEMORY_MAP PcBiosMemoryMap[MAX_BIOS_DESCRIPTORS]; ULONG PcBiosMapCount; diff --git a/boot/freeldr/freeldr/arch/i386/xboxmem.c b/boot/freeldr/freeldr/arch/i386/xboxmem.c index ee5da0fec1f..2d6890ea78e 100644 --- a/boot/freeldr/freeldr/arch/i386/xboxmem.c +++ b/boot/freeldr/freeldr/arch/i386/xboxmem.c @@ -89,12 +89,13 @@ XboxMemInit(VOID) AvailableMemoryMb = InstalledMemoryMb; } -FREELDR_MEMORY_DESCRIPTOR XboxMemoryMap[2]; +FREELDR_MEMORY_DESCRIPTOR XboxMemoryMap[MAX_BIOS_DESCRIPTORS + 1]; PFREELDR_MEMORY_DESCRIPTOR XboxMemGetMemoryMap(ULONG *MemoryMapSize) { TRACE("XboxMemGetMemoryMap()\n"); + /* FIXME: Obtain memory map via multiboot spec */ /* Synthesize memory map */ diff --git a/boot/freeldr/freeldr/include/arch/pc/pcbios.h b/boot/freeldr/freeldr/include/arch/pc/pcbios.h index 826a16854de..5ad273f0442 100644 --- a/boot/freeldr/freeldr/include/arch/pc/pcbios.h +++ b/boot/freeldr/freeldr/include/arch/pc/pcbios.h @@ -3,6 +3,8 @@ #ifndef __ASM__ +#define MAX_BIOS_DESCRIPTORS 80 + typedef enum { // ACPI 1.0.