Improve robustness when scanning PCI Option ROM.

Signed-off-by: rsun3
Reviewed-by: geekboy15a


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13095 6f19259b-4bc3-4df7-8a09-765794883524

DuetPkg/PciBusNoEnumerationDxe/PciOptionRomSupport.c

@@ -1,6 +1,6 @@
 /*++
 
-Copyright (c) 2005 - 2006, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials                          
 are licensed and made available under the terms and conditions of the BSD License         
 which accompanies this distribution.  The full text of the license may be found at        
@@ -155,6 +155,7 @@ Returns:
   PCI_DATA_STRUCTURE        *RomPcir;
   UINT64                    RomSize;
   UINT64                    RomImageSize;
+  UINT32                    LegacyImageLength;
   UINT8                     *RomInMemory;
   UINT8                     CodeType;
 
@@ -207,6 +208,7 @@ Returns:
   RomBarOffset  = RomBar;
   retStatus     = EFI_NOT_FOUND;
   FirstCheck    = TRUE;
+  LegacyImageLength = 0;
 
   do {
     PciDevice->PciRootBridgeIo->Mem.Read (
@@ -229,6 +231,15 @@ Returns:
 
     FirstCheck  = FALSE;
     OffsetPcir  = RomHeader->PcirOffset;
+    //
+    // If the pointer to the PCI Data Structure is invalid, no further images can be located. 
+    // The PCI Data Structure must be DWORD aligned. 
+    //
+    if (OffsetPcir == 0 ||
+       (OffsetPcir & 3) != 0 ||
+       RomImageSize + OffsetPcir + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+      break;
+    }
     PciDevice->PciRootBridgeIo->Mem.Read (
                                       PciDevice->PciRootBridgeIo,
                                       EfiPciWidthUint8,
@@ -236,8 +247,18 @@ Returns:
                                       sizeof (PCI_DATA_STRUCTURE),
                                       (UINT8 *) RomPcir
                                       );
+    //
+    // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+    //
+    if (RomPcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      break;
+    }
+    if (RomImageSize + RomPcir->ImageLength * 512 > RomSize) {
+      break;
+    }
     if (RomPcir->CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
       CodeType = PCI_CODE_TYPE_PCAT_IMAGE;
+      LegacyImageLength = ((UINT32)((EFI_LEGACY_EXPANSION_ROM_HEADER *)RomHeader)->Size512) * 512;
     }
     Indicator     = RomPcir->Indicator;
     RomImageSize  = RomImageSize + RomPcir->ImageLength * 512;
@@ -249,7 +270,7 @@ Returns:
   // of the legacy length and the PCIR Image Length
   //
   if (CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
-    RomImageSize = MAX(RomImageSize, (((EFI_LEGACY_EXPANSION_ROM_HEADER *)RomHeader)->Size512 * 512));
+    RomImageSize = MAX (RomImageSize, LegacyImageLength);
   }
 
   if (RomImageSize > 0) {
@@ -399,7 +420,6 @@ Returns:
   EFI_HANDLE                    ImageHandle;
   EFI_STATUS                    Status;
   EFI_STATUS                    retStatus;
-  BOOLEAN                       FirstCheck;
   BOOLEAN                       SkipImage;
   UINT32                        DestinationSize;
   UINT32                        ScratchSize;
@@ -410,6 +430,7 @@ Returns:
   EFI_DECOMPRESS_PROTOCOL       *Decompress;
   EFI_PCI_EXPANSION_ROM_HEADER  *EfiRomHeader;
   PCI_DATA_STRUCTURE            *Pcir;
+  UINT32                        InitializationSize;
 
   Indicator = 0;
 
@@ -419,35 +440,36 @@ Returns:
   RomBar        = PciDevice->PciIo.RomImage;
   RomBarOffset  = (UINT8 *) RomBar;
   retStatus     = EFI_NOT_FOUND;
-  FirstCheck    = TRUE;
+
+  if (RomBarOffset == NULL) {
+    return retStatus;
+  }
+  ASSERT (((EFI_PCI_EXPANSION_ROM_HEADER *) RomBarOffset)->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE);
 
   do {
     EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) RomBarOffset;
     if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
       RomBarOffset = RomBarOffset + 512;
-      if (FirstCheck) {
+      continue;
-        break;
-      } else {
-        continue;
-      }
     }
 
-    FirstCheck  = FALSE;
     Pcir        = (PCI_DATA_STRUCTURE *) (RomBarOffset + EfiRomHeader->PcirOffset);
+    ASSERT (Pcir->Signature == PCI_DATA_STRUCTURE_SIGNATURE);
     ImageSize   = (UINT32) (Pcir->ImageLength * 512);
     Indicator   = Pcir->Indicator;
 
-    if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) && 
+    if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
-        (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE)) {
+        (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
+        ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+         (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) {
 
-      if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER)  ||
+      ImageOffset             = EfiRomHeader->EfiImageHeaderOffset;
-          (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER)) {
+      InitializationSize      = EfiRomHeader->InitializationSize * 512;
 
-        ImageOffset             = EfiRomHeader->EfiImageHeaderOffset;
+      if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) {
-        ImageSize               = (UINT32) (EfiRomHeader->InitializationSize * 512);
 
         ImageBuffer             = (VOID *) (RomBarOffset + ImageOffset);
-        ImageLength             = ImageSize - (UINT32)ImageOffset;
+        ImageLength             =  InitializationSize - (UINT32)ImageOffset;
         DecompressedImageBuffer = NULL;
 
         //

DuetPkg/PciBusNoEnumerationDxe/PciRomTable.c

@@ -1,6 +1,6 @@
 /*++
 
-Copyright (c) 2005 - 2007, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials                          
 are licensed and made available under the terms and conditions of the BSD License         
 which accompanies this distribution.  The full text of the license may be found at        
@@ -133,6 +133,7 @@ Returns:
   VOID                          *DecompressedImageBuffer;
   UINT32                        ImageLength;
   EFI_DECOMPRESS_PROTOCOL       *Decompress;
+  UINT32                        InitializationSize;
 
   RomBar = (VOID *) (UINTN) PciOptionRomDescriptor->RomAddress;
   RomSize = (UINTN) PciOptionRomDescriptor->RomLength;
@@ -151,24 +152,44 @@ Returns:
 
     EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) (UINTN) RomBarOffset;
 
-    if (EfiRomHeader->Signature != 0xaa55) {
+
+    if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
       return retStatus;
     }
 
+    //
+    // If the pointer to the PCI Data Structure is invalid, no further images can be located. 
+    // The PCI Data Structure must be DWORD aligned. 
+    //
+    if (EfiRomHeader->PcirOffset == 0 ||
+        (EfiRomHeader->PcirOffset & 3) != 0 ||
+        RomBarOffset - (UINTN)RomBar + EfiRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+      break;
+    }
     Pcir      = (PCI_DATA_STRUCTURE *) (UINTN) (RomBarOffset + EfiRomHeader->PcirOffset);
+    //
+    // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+    //
+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      break;
+    }
     ImageSize = Pcir->ImageLength * 512;
+    if (RomBarOffset - (UINTN)RomBar + ImageSize > RomSize) {
+      break;
+    }
 
     if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
-        (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) ) {
+        (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
+        ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+         (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) {
 
-      if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+      ImageOffset             = EfiRomHeader->EfiImageHeaderOffset;
-          (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER) ) {
+      InitializationSize      = EfiRomHeader->InitializationSize * 512;
 
-        ImageOffset             = EfiRomHeader->EfiImageHeaderOffset;
+      if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) {
-        ImageSize               = EfiRomHeader->InitializationSize * 512;
 
         ImageBuffer             = (VOID *) (UINTN) (RomBarOffset + ImageOffset);
-        ImageLength             = ImageSize - ImageOffset;
+        ImageLength             = InitializationSize - ImageOffset;
         DecompressedImageBuffer = NULL;
 
         //

DuetPkg/PciRootBridgeNoEnumerationDxe/Ia32/PcatIo.c

@@ -1,6 +1,6 @@
 /*++
 
-Copyright (c) 2005 - 2008, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials                          
 are licensed and made available under the terms and conditions of the BSD License         
 which accompanies this distribution.  The full text of the license may be found at        
@@ -436,8 +436,10 @@ CheckForRom (
 
           Pcir.ImageLength = 0;
 
-          if (EfiRomHeader.Signature == 0xaa55) {
+          if (EfiRomHeader.Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE &&
-
+              EfiRomHeader.PcirOffset != 0 &&
+              (EfiRomHeader.PcirOffset & 3) == 0 &&
+              RomBarSize + EfiRomHeader.PcirOffset + sizeof (PCI_DATA_STRUCTURE) <= MaxRomSize) {
             ZeroMem (&Pcir, sizeof(Pcir));
             IoDev->Mem.Read (
               IoDev, 
@@ -447,6 +449,12 @@ CheckForRom (
               &Pcir
               );
 
+            if (Pcir.Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+              break;
+            }
+            if (RomBarSize + Pcir.ImageLength * 512 > MaxRomSize) {
+              break;
+            }
             if ((Pcir.Indicator & 0x80) == 0x00) {
               LastImage = FALSE;
             }

DuetPkg/PciRootBridgeNoEnumerationDxe/X64/PcatIo.c

@@ -1,6 +1,6 @@
 /*++
 
-Copyright (c) 2005 - 2006, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials                          
 are licensed and made available under the terms and conditions of the BSD License         
 which accompanies this distribution.  The full text of the license may be found at        
@@ -436,8 +436,10 @@ CheckForRom (
 
           Pcir.ImageLength = 0;
 
-          if (EfiRomHeader.Signature == 0xaa55) {
+          if (EfiRomHeader.Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE &&
-
+              EfiRomHeader.PcirOffset != 0 &&
+              (EfiRomHeader.PcirOffset & 3) == 0 &&
+              RomBarSize + EfiRomHeader.PcirOffset + sizeof (PCI_DATA_STRUCTURE) <= MaxRomSize) {
             ZeroMem (&Pcir, sizeof(Pcir));
             IoDev->Mem.Read (
               IoDev, 
@@ -447,6 +449,12 @@ CheckForRom (
               &Pcir
               );
 
+            if (Pcir.Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+              break;
+            }
+            if (RomBarSize + Pcir.ImageLength * 512 > MaxRomSize) {
+              break;
+            }
             if ((Pcir.Indicator & 0x80) == 0x00) {
               LastImage = FALSE;
             }

IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c

@@ -1,6 +1,6 @@
 /** @file
 
-Copyright (c) 1999 - 2010, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 1999 - 2012, Intel Corporation. All rights reserved.<BR>
 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions
@@ -1226,6 +1226,16 @@ Undi16SimpleNetworkLoadUndi (
 
     DEBUG ((DEBUG_INIT, "Option ROM found at %X\n", RomAddress));
 
+    //
+    // If the pointer to the PCI Data Structure is invalid, no further images can be located. 
+    // The PCI Data Structure must be DWORD aligned. 
+    //
+    if (PciExpansionRomHeader->PcirOffset == 0 ||
+        (PciExpansionRomHeader->PcirOffset & 3) != 0 ||
+        RomAddress + PciExpansionRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > 0x100000) {
+      break;
+    }
+
     PciDataStructure = (PCI_DATA_STRUCTURE *) (RomAddress + PciExpansionRomHeader->PcirOffset);
 
     if (PciDataStructure->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {

IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c

@@ -1,6 +1,6 @@
 /** @file
 
-Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions
@@ -304,14 +304,24 @@ GetPciLegacyRom (
   BackupImage   = NULL;
   RomHeader.Raw = *Rom;
   while (RomHeader.Generic->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
-    if (*ImageSize < 
+    if (RomHeader.Generic->PcirOffset == 0 ||
-        RomHeader.Raw - (UINT8 *) *Rom + RomHeader.Generic->PcirOffset + sizeof (PCI_DATA_STRUCTURE)
+        (RomHeader.Generic->PcirOffset & 3) !=0 ||
-        ) {
+        *ImageSize < RomHeader.Raw - (UINT8 *) *Rom + RomHeader.Generic->PcirOffset + sizeof (PCI_DATA_STRUCTURE)) {
-      return EFI_NOT_FOUND;
+      break;
     }
 
     Pcir = (PCI_3_0_DATA_STRUCTURE *) (RomHeader.Raw + RomHeader.Generic->PcirOffset);
+    //
+    // Check signature in the PCI Data Structure.
+    //
+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      break;
+    }
 
+    if ((UINTN)(RomHeader.Raw - (UINT8 *) *Rom) + Pcir->ImageLength * 512 > *ImageSize) {
+      break;
+    }
+    
     if (Pcir->CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
       Match = FALSE;
       if (Pcir->VendorId == VendorId) {
@@ -2875,8 +2885,21 @@ LegacyBiosInstallPciRom (
     }
 
     LocalRomImage = *RomImage;
+    if (((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE ||
+        ((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset == 0 ||
+        (((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset & 3 ) != 0) {
+      mVgaInstallationInProgress = FALSE;
+      return EFI_UNSUPPORTED;
+    }
+    
     Pcir = (PCI_3_0_DATA_STRUCTURE *)
            ((UINT8 *) LocalRomImage + ((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset);
+
+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      mVgaInstallationInProgress = FALSE;
+      return EFI_UNSUPPORTED;
+    }
+
     ImageSize = Pcir->ImageLength * 512;
     if (Pcir->Length >= 0x1C) {
       OpromRevision = Pcir->Revision;

MdeModulePkg/Bus/Pci/PciBusDxe/PciOptionRomSupport.c

@@ -1,7 +1,7 @@
 /** @file
   PCI Rom supporting funtions implementation for PCI Bus module.
 
-Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -53,6 +53,7 @@ LocalLoadFile2 (
   UINT32                                    ScratchSize;
   VOID                                      *Scratch;
   EFI_DECOMPRESS_PROTOCOL                   *Decompress;
+  UINT32                                    InitializationSize;
 
   EfiOpRomImageNode = (MEDIA_RELATIVE_OFFSET_RANGE_DEVICE_PATH *) FilePath;
   if ((EfiOpRomImageNode == NULL) ||
@@ -76,7 +77,7 @@ LocalLoadFile2 (
 
 
   Pcir = (PCI_DATA_STRUCTURE *) ((UINT8 *) EfiRomHeader + EfiRomHeader->PcirOffset);
-
+  ASSERT (Pcir->Signature == PCI_DATA_STRUCTURE_SIGNATURE);
 
   if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
       (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
@@ -85,9 +86,14 @@ LocalLoadFile2 (
       (EfiRomHeader->CompressionType <= EFI_PCI_EXPANSION_ROM_HEADER_COMPRESSED)
        ) {
 
-    ImageSize               = (UINT32) EfiRomHeader->InitializationSize * 512;
+    ImageSize = Pcir->ImageLength * 512;
+    InitializationSize = (UINT32) EfiRomHeader->InitializationSize * 512;
+    if (InitializationSize > ImageSize || EfiRomHeader->EfiImageHeaderOffset >=  InitializationSize) {
+      return EFI_NOT_FOUND;
+    }
+
     ImageBuffer             = (UINT8 *) EfiRomHeader + EfiRomHeader->EfiImageHeaderOffset;
-    ImageLength             = ImageSize - EfiRomHeader->EfiImageHeaderOffset;
+    ImageLength             = InitializationSize - EfiRomHeader->EfiImageHeaderOffset;
 
     if (EfiRomHeader->CompressionType != EFI_PCI_EXPANSION_ROM_HEADER_COMPRESSED) {
       //
@@ -321,23 +327,21 @@ ContainEfiImage (
 {
   PCI_EXPANSION_ROM_HEADER  *RomHeader;
   PCI_DATA_STRUCTURE        *RomPcir;
-  BOOLEAN                   FirstCheck;
 
-  FirstCheck = TRUE;
+  RomHeader = RomImage;
-  RomHeader  = RomImage;
+  if (RomHeader == NULL) {
+    return FALSE;
+  }
+  ASSERT (RomHeader->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE);
 
   while ((UINT8 *) RomHeader < (UINT8 *) RomImage + RomSize) {
     if (RomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
-      if (FirstCheck) {
+      RomHeader = (PCI_EXPANSION_ROM_HEADER *) ((UINT8 *) RomHeader + 512);
-        return FALSE;
+      continue;
-      } else {
-        RomHeader = (PCI_EXPANSION_ROM_HEADER *) ((UINT8 *) RomHeader + 512);
-        continue;
-      }
     }
 
-    FirstCheck = FALSE;
     RomPcir    = (PCI_DATA_STRUCTURE *) ((UINT8 *) RomHeader + RomHeader->PcirOffset);
+    ASSERT (RomPcir->Signature == PCI_DATA_STRUCTURE_SIGNATURE);
 
     if (RomPcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) {
       return TRUE;
@@ -378,6 +382,7 @@ LoadOpRomImage (
   PCI_DATA_STRUCTURE        *RomPcir;
   UINT64                    RomSize;
   UINT64                    RomImageSize;
+  UINT32                    LegacyImageLength;
   UINT8                     *RomInMemory;
   UINT8                     CodeType;
 
@@ -430,6 +435,7 @@ LoadOpRomImage (
   RomBarOffset  = RomBar;
   RetStatus     = EFI_NOT_FOUND;
   FirstCheck    = TRUE;
+  LegacyImageLength = 0;
 
   do {
     PciDevice->PciRootBridgeIo->Mem.Read (
@@ -452,6 +458,15 @@ LoadOpRomImage (
 
     FirstCheck  = FALSE;
     OffsetPcir  = RomHeader->PcirOffset;
+    //
+    // If the pointer to the PCI Data Structure is invalid, no further images can be located. 
+    // The PCI Data Structure must be DWORD aligned. 
+    //
+    if (OffsetPcir == 0 ||
+        (OffsetPcir & 3) != 0 ||
+        RomImageSize + OffsetPcir + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+      break;
+    }
     PciDevice->PciRootBridgeIo->Mem.Read (
                                       PciDevice->PciRootBridgeIo,
                                       EfiPciWidthUint8,
@@ -459,8 +474,18 @@ LoadOpRomImage (
                                       sizeof (PCI_DATA_STRUCTURE),
                                       (UINT8 *) RomPcir
                                       );
+    //
+    // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+    //
+    if (RomPcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      break;
+    }
+    if (RomImageSize + RomPcir->ImageLength * 512 > RomSize) {
+      break;
+    }
     if (RomPcir->CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
       CodeType = PCI_CODE_TYPE_PCAT_IMAGE;
+      LegacyImageLength = ((UINT32)((EFI_LEGACY_EXPANSION_ROM_HEADER *)RomHeader)->Size512) * 512;
     }
     Indicator     = RomPcir->Indicator;
     RomImageSize  = RomImageSize + RomPcir->ImageLength * 512;
@@ -472,7 +497,7 @@ LoadOpRomImage (
   // of the legacy length and the PCIR Image Length
   //
   if (CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
-    RomImageSize = MAX(RomImageSize, (((EFI_LEGACY_EXPANSION_ROM_HEADER *)RomHeader)->Size512 * 512));
+    RomImageSize = MAX (RomImageSize, LegacyImageLength);
   }
 
   if (RomImageSize > 0) {
@@ -635,7 +660,6 @@ ProcessOpRomImage (
   EFI_HANDLE                               ImageHandle;
   EFI_STATUS                               Status;
   EFI_STATUS                               RetStatus;
-  BOOLEAN                                  FirstCheck;
   EFI_PCI_EXPANSION_ROM_HEADER             *EfiRomHeader;
   PCI_DATA_STRUCTURE                       *Pcir;
   EFI_DEVICE_PATH_PROTOCOL                 *PciOptionRomImageDevicePath;
@@ -651,21 +675,21 @@ ProcessOpRomImage (
   RomBar        = PciDevice->PciIo.RomImage;
   RomBarOffset  = (UINT8 *) RomBar;
   RetStatus     = EFI_NOT_FOUND;
-  FirstCheck    = TRUE;
+
+  if (RomBar == NULL) {
+    return RetStatus;
+  }
+  ASSERT (((EFI_PCI_EXPANSION_ROM_HEADER *) RomBarOffset)->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE);
 
   do {
     EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) RomBarOffset;
     if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
       RomBarOffset += 512;
-      if (FirstCheck) {
+      continue;
-        break;
-      } else {
-        continue;
-      }
     }
 
-    FirstCheck  = FALSE;
     Pcir        = (PCI_DATA_STRUCTURE *) (RomBarOffset + EfiRomHeader->PcirOffset);
+    ASSERT (Pcir->Signature == PCI_DATA_STRUCTURE_SIGNATURE);
     ImageSize   = (UINT32) (Pcir->ImageLength * 512);
     Indicator   = Pcir->Indicator;
 

OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c

@@ -1,7 +1,7 @@
 /** @file
   Platform BDS customizations.
 
-  Copyright (c) 2004 - 2009, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -1489,6 +1489,7 @@ PciRomLoadEfiDriversFromRomImage (
   VOID                          *DecompressedImageBuffer;
   UINT32                        ImageLength;
   EFI_DECOMPRESS_PROTOCOL       *Decompress;
+  UINT32                        InitializationSize;
 
   FileName = L"PciRomInMemory";
 
@@ -1503,24 +1504,43 @@ PciRomLoadEfiDriversFromRomImage (
 
     EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) (UINTN) RomOffset;
 
-    if (EfiRomHeader->Signature != 0xaa55) {
+    if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
       return retStatus;
     }
 
+    //
+    // If the pointer to the PCI Data Structure is invalid, no further images can be located. 
+    // The PCI Data Structure must be DWORD aligned. 
+    //
+    if (EfiRomHeader->PcirOffset == 0 ||
+        (EfiRomHeader->PcirOffset & 3) != 0 ||
+        RomOffset - (UINTN)Rom + EfiRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+      break;
+    }
     Pcir      = (PCI_DATA_STRUCTURE *) (UINTN) (RomOffset + EfiRomHeader->PcirOffset);
+    //
+    // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+    //
+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      break;
+    }
     ImageSize = Pcir->ImageLength * 512;
+    if (RomOffset - (UINTN)Rom + ImageSize > RomSize) {
+      break;
+    }
 
     if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
-        (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) ) {
+        (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
+        ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+         (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) {
 
-      if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+      ImageOffset             = EfiRomHeader->EfiImageHeaderOffset;
-          (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER) ) {
+      InitializationSize      = EfiRomHeader->InitializationSize * 512;
 
-        ImageOffset             = EfiRomHeader->EfiImageHeaderOffset;
+      if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) {
-        ImageSize               = EfiRomHeader->InitializationSize * 512;
 
         ImageBuffer             = (VOID *) (UINTN) (RomOffset + ImageOffset);
-        ImageLength             = ImageSize - ImageOffset;
+        ImageLength             = InitializationSize - ImageOffset;
         DecompressedImageBuffer = NULL;
 
         //

ShellPkg/Library/UefiShellDebug1CommandsLib/LoadPciRom.c

@@ -1,7 +1,7 @@
 /** @file
   Main file for LoadPciRom shell Debug1 function.
 
-  Copyright (c) 2005 - 2011, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -221,6 +221,7 @@ LoadEfiDriversFromRomImage (
   VOID                          *DecompressedImageBuffer;
   UINT32                        ImageLength;
   EFI_DECOMPRESS_PROTOCOL       *Decompress;
+  UINT32                        InitializationSize;
 
   ImageIndex    = 0;
   ReturnStatus     = EFI_NOT_FOUND;
@@ -230,27 +231,46 @@ LoadEfiDriversFromRomImage (
 
     EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) (UINTN) RomBarOffset;
 
-    if (EfiRomHeader->Signature != 0xaa55) {
+    if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
       ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_LOADPCIROM_CORRUPT), gShellDebug1HiiHandle, FileName, ImageIndex);
 //      PrintToken (STRING_TOKEN (STR_LOADPCIROM_IMAGE_CORRUPT), HiiHandle, ImageIndex);
       return ReturnStatus;
     }
 
+    //
+    // If the pointer to the PCI Data Structure is invalid, no further images can be located. 
+    // The PCI Data Structure must be DWORD aligned. 
+    //
+    if (EfiRomHeader->PcirOffset == 0 ||
+        (EfiRomHeader->PcirOffset & 3) != 0 ||
+        RomBarOffset - (UINTN)RomBar + EfiRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+      break;
+    }
+
     Pcir      = (PCI_DATA_STRUCTURE *) (UINTN) (RomBarOffset + EfiRomHeader->PcirOffset);
+    //
+    // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+    //
+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      break;
+    }
     ImageSize = Pcir->ImageLength * 512;
+    if (RomBarOffset - (UINTN)RomBar + ImageSize > RomSize) {
+      break;
+    }
 
     if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
-        (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE)
+        (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
-       ) {
+        ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+         (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) {
 
-      if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+      ImageOffset             = EfiRomHeader->EfiImageHeaderOffset;
-          (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER)
+      InitializationSize      = EfiRomHeader->InitializationSize * 512;
-         ) {
+
-        ImageOffset             = EfiRomHeader->EfiImageHeaderOffset;
+      if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) {
-        ImageSize               = EfiRomHeader->InitializationSize * 512;
 
         ImageBuffer             = (VOID *) (UINTN) (RomBarOffset + ImageOffset);
-        ImageLength             = ImageSize - ImageOffset;
+        ImageLength             = InitializationSize - ImageOffset;
         DecompressedImageBuffer = NULL;
 
         //