From ef3a1ef397a2677cccd0e3e7f1287f29f0094e17 Mon Sep 17 00:00:00 2001
From: Tormod Volden <debian.tormod@gmail.com>
Date: Tue, 23 Jul 2024 23:23:20 +0200
Subject: ShellPkg/UefiShellLib: Prevent out-of-bounds access

If InternalShellStrHexToUint64() is passed a string that starts with 'X'
or 'x' it would try to read the byte before the start of the string
buffer.

Instead check if leading zeroes have been consumed.

Signed-off-by: Tormod Volden <debian.tormod@gmail.com>
---
 ShellPkg/Library/UefiShellLib/UefiShellLib.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ShellPkg/Library/UefiShellLib/UefiShellLib.c b/ShellPkg/Library/UefiShellLib/UefiShellLib.c
index f023505300..488129801e 100644
--- a/ShellPkg/Library/UefiShellLib/UefiShellLib.c
+++ b/ShellPkg/Library/UefiShellLib/UefiShellLib.c
@@ -4009,7 +4009,8 @@ InternalShellStrHexToUint64 (
   IN CONST BOOLEAN  StopAtSpace
   )
 {
-  UINT64  Result;
+  UINT64   Result;
+  BOOLEAN  LeadingZero;
 
   if ((String == NULL) || (StrSize (String) == 0) || (Value == NULL)) {
     return (EFI_INVALID_PARAMETER);
@@ -4025,12 +4026,14 @@ InternalShellStrHexToUint64 (
   //
   // Ignore leading Zeros after the spaces
   //
+  LeadingZero = FALSE;
   while (*String == L'0') {
     String++;
+    LeadingZero = TRUE;
   }
 
   if (CharToUpper (*String) == L'X') {
-    if (*(String - 1) != L'0') {
+    if (!LeadingZero) {
       return 0;
     }
 
-- 
cgit