CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553)

According to the ISO C standard, strchr() is a function. We #define it as a macro. Unfortunately, our macro evaluates the first argument ("str") twice. If the expression passed for "str" has side effects, the behavior may be undefined. In a later patch in this series, we're going to resurrect "inet_pton.c" (originally from the StdLib package), which calls strchr() just like that: strchr((xdigits = xdigits_l), ch) strchr((xdigits = xdigits_u), ch) To enable this kind of function call, turn strchr() into a function. Cc: David Woodhouse <[email protected]> Cc: Jian J Wang <[email protected]> Cc: Jiaxin Wu <[email protected]> Cc: Sivaraman Nainar <[email protected]> Cc: Xiaoyu Lu <[email protected]> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960 CVE: CVE-2019-14553 Signed-off-by: Laszlo Ersek <[email protected]> Reviewed-by: Philippe Mathieu-Daude <[email protected]> Reviewed-by: Jian J Wang <[email protected]> Reviewed-by: Jiaxin Wu <[email protected]>
tianocore · Nov 2, 2019 · eb520d9 · eb520d9
1 parent 2ca74e1
commit eb520d9
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
@@ -115,6 +115,11 @@ QuickSortWorker (
 // -- String Manipulation Routines --
 //
 
+char *strchr(const char *str, int ch)
+{
+  return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch);
+}
+
 /* Scan a string for the last occurrence of a character */
 char *strrchr (const char *str, int c)
 {

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -147,6 +147,7 @@ int            isupper     (int);
 int            tolower     (int);
 int            strcmp      (const char *, const char *);
 int            strncasecmp (const char *, const char *, size_t);
+char           *strchr     (const char *, int);
 char           *strrchr    (const char *, int);
 unsigned long  strtoul     (const char *, char **, int);
 long           strtol      (const char *, char **, int);
@@ -188,7 +189,6 @@ void           abort       (void);
 #define strcpy(strDest,strSource)         AsciiStrCpyS(strDest,MAX_STRING_SIZE,strSource)
 #define strncpy(strDest,strSource,count)  AsciiStrnCpyS(strDest,MAX_STRING_SIZE,strSource,(UINTN)count)
 #define strcat(strDest,strSource)         AsciiStrCatS(strDest,MAX_STRING_SIZE,strSource)
-#define strchr(str,ch)                    ScanMem8((VOID *)(str),AsciiStrSize(str),(UINT8)ch)
 #define strncmp(string1,string2,count)    (int)(AsciiStrnCmp(string1,string2,(UINTN)(count)))
 #define strcasecmp(str1,str2)             (int)AsciiStriCmp(str1,str2)
 #define sprintf(buf,...)                  AsciiSPrint(buf,MAX_STRING_SIZE,__VA_ARGS__)