From 681f8f4e6b44e28394a34c6e82c365f643b6b4e3 Mon Sep 17 00:00:00 2001 From: Robert Moore Date: Fri, 9 Apr 2010 12:47:44 -0700 Subject: [PATCH] Prevent possible allocation overrun during object copy. Original code did not handle the case where the object to be copied was a namespace node. --- source/components/utilities/utcopy.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/source/components/utilities/utcopy.c b/source/components/utilities/utcopy.c index fe44083c5..c1fccaefe 100644 --- a/source/components/utilities/utcopy.c +++ b/source/components/utilities/utcopy.c @@ -797,6 +797,7 @@ AcpiUtCopySimpleObject ( UINT16 ReferenceCount; ACPI_OPERAND_OBJECT *NextObject; ACPI_STATUS Status; + ACPI_SIZE CopySize; /* Save fields from destination that we don't want to overwrite */ @@ -804,10 +805,18 @@ AcpiUtCopySimpleObject ( ReferenceCount = DestDesc->Common.ReferenceCount; NextObject = DestDesc->Common.NextObject; - /* Copy the entire source object over the destination object*/ + /* + * Copy the entire source object over the destination object. + * Note: Source can be either an operand object or namespace node. + */ + CopySize = sizeof (ACPI_OPERAND_OBJECT); + if (ACPI_GET_DESCRIPTOR_TYPE (SourceDesc) == ACPI_DESC_TYPE_NAMED) + { + CopySize = sizeof (ACPI_NAMESPACE_NODE); + } - ACPI_MEMCPY ((char *) DestDesc, (char *) SourceDesc, - sizeof (ACPI_OPERAND_OBJECT)); + ACPI_MEMCPY (ACPI_CAST_PTR (char, DestDesc), + ACPI_CAST_PTR (char, SourceDesc), CopySize); /* Restore the saved fields */ @@ -841,8 +850,7 @@ AcpiUtCopySimpleObject ( /* Copy the actual buffer data */ ACPI_MEMCPY (DestDesc->Buffer.Pointer, - SourceDesc->Buffer.Pointer, - SourceDesc->Buffer.Length); + SourceDesc->Buffer.Pointer, SourceDesc->Buffer.Length); } break; @@ -864,7 +872,7 @@ AcpiUtCopySimpleObject ( /* Copy the actual string data */ ACPI_MEMCPY (DestDesc->String.Pointer, SourceDesc->String.Pointer, - (ACPI_SIZE) SourceDesc->String.Length + 1); + (ACPI_SIZE) SourceDesc->String.Length + 1); } break;