File ovmf-bsc1186151-fix-iscsi-overflows.patch of Package ovmf.28657
From 114528c2c5e887e602b3c911a4b9d1ec02846013 Mon Sep 17 00:00:00 2001
From: Sean Brogan <sean.brogan@microsoft.com>
Date: Mon, 24 Apr 2017 16:37:20 -0700
Subject: [PATCH 01/18] MdePkg/BaseSafeIntLib: Add SafeIntLib class and
instance
https://bugzilla.tianocore.org/show_bug.cgi?id=798
SafeIntLib provides helper functions to prevent integer overflow
during type conversion, addition, subtraction, and multiplication.
Conversion Functions
====================
* Converting from a signed type to an unsigned type of the same
size, or vice-versa.
* Converting to a smaller type that could possibly overflow.
* Converting from a signed type to a larger unsigned type.
Unsigned Addition, Subtraction, Multiplication
===============================================
* Unsigned integer math functions protect from overflow and
underflow (in case of subtraction).
Signed Addition, Subtraction, Multiplication
============================================
* Strongly consider using unsigned numbers.
* Signed numbers are often used where unsigned numbers should
be used. For example file sizes and array indices should always
be unsigned. Subtracting a larger positive signed number from a
smaller positive signed number with SafeInt32Sub() will succeed,
producing a negative number, that then must not be used as an
array index (but can occasionally be used as a pointer index.)
Similarly for adding a larger magnitude negative number to a
smaller magnitude positive number.
* SafeIntLib does not protect you from such errors. It tells you
if your integer operations overflowed, not if you are doing the
right thing with your non-overflowed integers.
* Likewise you can overflow a buffer with a non-overflowed
unsigned index.
Based on content from the following branch/commits:
https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport
https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0
https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61
https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
(cherry picked from commit d7a09cb86a0416c099fa3a9e0fbe2c8f399b28de)
---
MdePkg/Include/AArch64/ProcessorBind.h | 7 +-
MdePkg/Include/Arm/ProcessorBind.h | 7 +-
MdePkg/Include/Base.h | 8 +
MdePkg/Include/Ebc/ProcessorBind.h | 17 +-
MdePkg/Include/Ia32/ProcessorBind.h | 5 +
MdePkg/Include/Ipf/ProcessorBind.h | 7 +-
MdePkg/Include/Library/SafeIntLib.h | 3030 ++++++++++++
MdePkg/Include/X64/ProcessorBind.h | 5 +
.../Library/BaseSafeIntLib/BaseSafeIntLib.inf | 58 +
MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 4098 +++++++++++++++++
MdePkg/Library/BaseSafeIntLib/SafeIntLib32.c | 554 +++
MdePkg/Library/BaseSafeIntLib/SafeIntLib64.c | 508 ++
MdePkg/Library/BaseSafeIntLib/SafeIntLibEbc.c | 614 +++
MdePkg/MdePkg.dec | 5 +
MdePkg/MdePkg.dsc | 1 +
15 files changed, 8915 insertions(+), 9 deletions(-)
create mode 100644 MdePkg/Include/Library/SafeIntLib.h
create mode 100644 MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
create mode 100644 MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
create mode 100644 MdePkg/Library/BaseSafeIntLib/SafeIntLib32.c
create mode 100644 MdePkg/Library/BaseSafeIntLib/SafeIntLib64.c
create mode 100644 MdePkg/Library/BaseSafeIntLib/SafeIntLibEbc.c
diff --git a/MdePkg/Include/AArch64/ProcessorBind.h b/MdePkg/Include/AArch64/ProcessorBind.h
index c5fe874b1bd0..72453ded3251 100644
--- a/MdePkg/Include/AArch64/ProcessorBind.h
+++ b/MdePkg/Include/AArch64/ProcessorBind.h
@@ -1,7 +1,7 @@
/** @file
Processor or Compiler specific defines and types for AArch64.
- Copyright (c) 2006 - 2010, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
Portions copyright (c) 2011 - 2013, ARM Ltd. All rights reserved.<BR>
@@ -99,6 +99,11 @@ typedef INT64 INTN;
#define MAX_INTN ((INTN)0x7FFFFFFFFFFFFFFFULL)
#define MAX_UINTN ((UINTN)0xFFFFFFFFFFFFFFFFULL)
+///
+/// Minimum legal AArch64 INTN value.
+///
+#define MIN_INTN (((INTN)-9223372036854775807LL) - 1)
+
///
/// The stack alignment required for AARCH64
///
diff --git a/MdePkg/Include/Arm/ProcessorBind.h b/MdePkg/Include/Arm/ProcessorBind.h
index c2482c2f50f0..5852bb81dbae 100644
--- a/MdePkg/Include/Arm/ProcessorBind.h
+++ b/MdePkg/Include/Arm/ProcessorBind.h
@@ -1,7 +1,7 @@
/** @file
Processor or Compiler specific defines and types for ARM.
- Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -98,6 +98,11 @@ typedef INT32 INTN;
#define MAX_INTN ((INTN)0x7FFFFFFF)
#define MAX_UINTN ((UINTN)0xFFFFFFFF)
+///
+/// Minimum legal ARM INTN value.
+///
+#define MIN_INTN (((INTN)-2147483647) - 1)
+
///
/// The stack alignment required for ARM
///
diff --git a/MdePkg/Include/Base.h b/MdePkg/Include/Base.h
index eea3ba7c0d72..9e5244e54421 100644
--- a/MdePkg/Include/Base.h
+++ b/MdePkg/Include/Base.h
@@ -223,6 +223,14 @@ struct _LIST_ENTRY {
#define MAX_INT64 ((INT64)0x7FFFFFFFFFFFFFFFULL)
#define MAX_UINT64 ((UINT64)0xFFFFFFFFFFFFFFFFULL)
+///
+/// Minimum values for the signed UEFI Data Types
+///
+#define MIN_INT8 (((INT8) -127) - 1)
+#define MIN_INT16 (((INT16) -32767) - 1)
+#define MIN_INT32 (((INT32) -2147483647) - 1)
+#define MIN_INT64 (((INT64) -9223372036854775807LL) - 1)
+
#define BIT0 0x00000001
#define BIT1 0x00000002
#define BIT2 0x00000004
diff --git a/MdePkg/Include/Ebc/ProcessorBind.h b/MdePkg/Include/Ebc/ProcessorBind.h
index 075f768c7691..cb5bfe520f49 100644
--- a/MdePkg/Include/Ebc/ProcessorBind.h
+++ b/MdePkg/Include/Ebc/ProcessorBind.h
@@ -4,7 +4,7 @@
We currently only have one EBC compiler so there may be some Intel compiler
specific functions in this file.
-Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available under
the terms and conditions of the BSD License that accompanies this distribution.
The full text of the license may be found at
@@ -91,23 +91,28 @@ typedef unsigned long UINTN;
/// A value of native width with the highest bit set.
/// Scalable macro to set the most significant bit in a natural number.
///
-#define MAX_BIT (1ULL << (sizeof (INTN) * 8 - 1))
+#define MAX_BIT ((UINTN)((1ULL << (sizeof (INTN) * 8 - 1))))
///
/// A value of native width with the two highest bits set.
/// Scalable macro to set the most 2 significant bits in a natural number.
///
-#define MAX_2_BITS (3ULL << (sizeof (INTN) * 8 - 2))
+#define MAX_2_BITS ((UINTN)(3ULL << (sizeof (INTN) * 8 - 2)))
///
/// Maximum legal EBC address
///
-#define MAX_ADDRESS ((UINTN) ~0)
+#define MAX_ADDRESS ((UINTN)(~0ULL >> (64 - sizeof (INTN) * 8)))
///
/// Maximum legal EBC INTN and UINTN values.
///
-#define MAX_UINTN ((UINTN) ~0)
-#define MAX_INTN ((INTN)~MAX_BIT)
+#define MAX_UINTN ((UINTN)(~0ULL >> (64 - sizeof (INTN) * 8)))
+#define MAX_INTN ((INTN)(~0ULL >> (65 - sizeof (INTN) * 8)))
+
+///
+/// Minimum legal EBC INTN value.
+///
+#define MIN_INTN (((INTN)-MAX_INTN) - 1)
///
/// The stack alignment required for EBC
diff --git a/MdePkg/Include/Ia32/ProcessorBind.h b/MdePkg/Include/Ia32/ProcessorBind.h
index 458f7dd21b93..b84899508eea 100644
--- a/MdePkg/Include/Ia32/ProcessorBind.h
+++ b/MdePkg/Include/Ia32/ProcessorBind.h
@@ -252,6 +252,11 @@ typedef INT32 INTN;
#define MAX_INTN ((INTN)0x7FFFFFFF)
#define MAX_UINTN ((UINTN)0xFFFFFFFF)
+///
+/// Minimum legal IA-32 INTN value.
+///
+#define MIN_INTN (((INTN)-2147483647) - 1)
+
///
/// The stack alignment required for IA-32.
///
diff --git a/MdePkg/Include/Ipf/ProcessorBind.h b/MdePkg/Include/Ipf/ProcessorBind.h
index cead57526283..d552d418af87 100644
--- a/MdePkg/Include/Ipf/ProcessorBind.h
+++ b/MdePkg/Include/Ipf/ProcessorBind.h
@@ -1,7 +1,7 @@
/** @file
Processor or Compiler specific defines and types for Intel Itanium(TM) processors.
-Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available
under the terms and conditions of the BSD License which accompanies this
distribution. The full text of the license may be found at
@@ -242,6 +242,11 @@ typedef INT64 INTN;
#define MAX_INTN ((INTN)0x7FFFFFFFFFFFFFFFULL)
#define MAX_UINTN ((UINTN)0xFFFFFFFFFFFFFFFFULL)
+///
+/// Minimum legal Itanium-based INTN value.
+///
+#define MIN_INTN (((INTN)-9223372036854775807LL) - 1)
+
///
/// Per the Itanium Software Conventions and Runtime Architecture Guide,
/// section 3.3.4, IPF stack must always be 16-byte aligned.
diff --git a/MdePkg/Include/Library/SafeIntLib.h b/MdePkg/Include/Library/SafeIntLib.h
new file mode 100644
index 000000000000..583930195a61
--- /dev/null
+++ b/MdePkg/Include/Library/SafeIntLib.h
@@ -0,0 +1,3030 @@
+/** @file
+ This library provides helper functions to prevent integer overflow during
+ type conversion, addition, subtraction, and multiplication.
+
+ Copyright (c) 2017, Microsoft Corporation
+
+ All rights reserved.
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+**/
+#ifndef __INT_SAFE_LIB_H__
+#define __INT_SAFE_LIB_H__
+
+//
+// It is common for -1 to be used as an error value
+//
+#define INT8_ERROR ((INT8) -1)
+#define UINT8_ERROR MAX_UINT8
+#define CHAR8_ERROR ((CHAR8)(MAX_INT8))
+#define INT16_ERROR ((INT16) -1)
+#define UINT16_ERROR MAX_UINT16
+#define CHAR16_ERROR MAX_UINT16
+#define INT32_ERROR ((INT32) -1)
+#define UINT32_ERROR MAX_UINT32
+#define INT64_ERROR ((INT64) -1)
+#define UINT64_ERROR MAX_UINT64
+#define INTN_ERROR ((INTN) -1)
+#define UINTN_ERROR MAX_UINTN
+
+//
+// CHAR16 is defined to be the same as UINT16, so for CHAR16
+// operations redirect to the UINT16 ones:
+//
+#define SafeInt8ToChar16 SafeInt8ToUint16
+#define SafeInt16ToChar16 SafeInt16ToUint16
+#define SafeInt32ToChar16 SafeInt32ToUint16
+#define SafeUint32ToChar16 SafeUint32ToUint16
+#define SafeInt64ToChar16 SafeInt64ToUint16
+#define SafeUint64ToChar16 SafeUint64ToUint16
+#define SafeIntnToChar16 SafeIntnToUint16
+#define SafeUintnToChar16 SafeUintnToUint16
+
+#define SafeChar16ToInt8 SafeUint16ToInt8
+#define SafeChar16ToUint8 SafeUint16ToUint8
+#define SafeChar16ToChar8 SafeUint16ToChar8
+#define SafeChar16ToInt16 SafeUint16ToInt16
+
+#define SafeChar16Mult SafeUint16Mult
+#define SafeChar16Sub SafeUint16Sub
+#define SafeChar16Add SafeUint16Add
+
+//
+// Conversion functions
+//
+// There are three reasons for having conversion functions:
+//
+// 1. We are converting from a signed type to an unsigned type of the same
+// size, or vice-versa.
+//
+// 2. We are converting to a smaller type, and we could therefore possibly
+// overflow.
+//
+// 3. We are converting to a bigger type, and we are signed and the type we are
+// converting to is unsigned.
+//
+
+/**
+ INT8 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUint8 (
+ IN INT8 Operand,
+ OUT UINT8 *Result
+ );
+
+/**
+ INT8 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToChar8 (
+ IN INT8 Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INT8 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUint16 (
+ IN INT8 Operand,
+ OUT UINT16 *Result
+ );
+
+/**
+ INT8 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUint32 (
+ IN INT8 Operand,
+ OUT UINT32 *Result
+ );
+
+/**
+ INT8 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUintn (
+ IN INT8 Operand,
+ OUT UINTN *Result
+ );
+
+/**
+ INT8 -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUint64 (
+ IN INT8 Operand,
+ OUT UINT64 *Result
+ );
+
+/**
+ UINT8 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8ToInt8 (
+ IN UINT8 Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ UINT8 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8ToChar8 (
+ IN UINT8 Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INT16 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToInt8 (
+ IN INT16 Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ INT16 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToChar8 (
+ IN INT16 Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INT16 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUint8 (
+ IN INT16 Operand,
+ OUT UINT8 *pui8Result
+ );
+
+/**
+ INT16 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUint16 (
+ IN INT16 Operand,
+ OUT UINT16 *Result
+ );
+
+/**
+ INT16 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUint32 (
+ IN INT16 Operand,
+ OUT UINT32 *Result
+ );
+
+/**
+ INT16 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUintn (
+ IN INT16 Operand,
+ OUT UINTN *Result
+ );
+
+/**
+ INT16 -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUint64 (
+ IN INT16 Operand,
+ OUT UINT64 *Result
+ );
+
+/**
+ UINT16 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16ToInt8 (
+ IN UINT16 Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ UINT16 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16ToChar8 (
+ IN UINT16 Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ UINT16 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16ToUint8 (
+ IN UINT16 Operand,
+ OUT UINT8 *pui8Result
+ );
+
+/**
+ UINT16 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16ToInt16 (
+ IN UINT16 Operand,
+ OUT INT16 *Result
+ );
+
+/**
+ INT32 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToInt8 (
+ IN INT32 Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ INT32 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToChar8 (
+ IN INT32 Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INT32 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUint8 (
+ IN INT32 Operand,
+ OUT UINT8 *pui8Result
+ );
+
+/**
+ INT32 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToInt16 (
+ IN INT32 Operand,
+ OUT INT16 *Result
+ );
+
+/**
+ INT32 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUint16 (
+ IN INT32 Operand,
+ OUT UINT16 *Result
+ );
+
+
+/**
+ INT32 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUint32 (
+ IN INT32 Operand,
+ OUT UINT32 *Result
+ );
+
+/**
+ INT32 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUintn (
+ IN INT32 Operand,
+ OUT UINTN *Result
+ );
+
+/**
+ INT32 -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUint64 (
+ IN INT32 Operand,
+ OUT UINT64 *Result
+ );
+
+/**
+ UINT32 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToInt8 (
+ IN UINT32 Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ UINT32 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToChar8 (
+ IN UINT32 Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ UINT32 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToUint8 (
+ IN UINT32 Operand,
+ OUT UINT8 *pui8Result
+ );
+
+/**
+ UINT32 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToInt16 (
+ IN UINT32 Operand,
+ OUT INT16 *Result
+ );
+
+/**
+ UINT32 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToUint16 (
+ IN UINT32 Operand,
+ OUT UINT16 *Result
+ );
+
+/**
+ UINT32 -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToInt32 (
+ IN UINT32 Operand,
+ OUT INT32 *Result
+ );
+
+/**
+ UINT32 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToIntn (
+ IN UINT32 Operand,
+ OUT INTN *Result
+ );
+
+/**
+ INTN -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToInt8 (
+ IN INTN Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ INTN -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToChar8 (
+ IN INTN Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INTN -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint8 (
+ IN INTN Operand,
+ OUT UINT8 *pui8Result
+ );
+
+/**
+ INTN -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToInt16 (
+ IN INTN Operand,
+ OUT INT16 *Result
+ );
+
+/**
+ INTN -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint16 (
+ IN INTN Operand,
+ OUT UINT16 *Result
+ );
+
+/**
+ INTN -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToInt32 (
+ IN INTN Operand,
+ OUT INT32 *Result
+ );
+
+/**
+ INTN -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint32 (
+ IN INTN Operand,
+ OUT UINT32 *Result
+ );
+
+/**
+ INTN -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUintn (
+ IN INTN Operand,
+ OUT UINTN *Result
+ );
+
+/**
+ INTN -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint64 (
+ IN INTN Operand,
+ OUT UINT64 *Result
+ );
+
+/**
+ UINTN -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt8 (
+ IN UINTN Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ UINTN -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToChar8 (
+ IN UINTN Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ UINTN -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToUint8 (
+ IN UINTN Operand,
+ OUT UINT8 *pui8Result
+ );
+
+/**
+ UINTN -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt16 (
+ IN UINTN Operand,
+ OUT INT16 *Result
+ );
+
+/**
+ UINTN -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToUint16 (
+ IN UINTN Operand,
+ OUT UINT16 *Result
+ );
+
+/**
+ UINTN -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt32 (
+ IN UINTN Operand,
+ OUT INT32 *Result
+ );
+
+/**
+ UINTN -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToUint32 (
+ IN UINTN Operand,
+ OUT UINT32 *Result
+ );
+
+/**
+ UINTN -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToIntn (
+ IN UINTN Operand,
+ OUT INTN *Result
+ );
+
+/**
+ UINTN -> INT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt64 (
+ IN UINTN Operand,
+ OUT INT64 *Result
+ );
+
+/**
+ INT64 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToInt8 (
+ IN INT64 Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ INT64 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToChar8 (
+ IN INT64 Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INT64 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUint8 (
+ IN INT64 Operand,
+ OUT UINT8 *Result
+ );
+
+/**
+ INT64 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToInt16 (
+ IN INT64 Operand,
+ OUT INT16 *Result
+ );
+
+/**
+ INT64 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUint16 (
+ IN INT64 Operand,
+ OUT UINT16 *Result
+ );
+
+/**
+ INT64 -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToInt32 (
+ IN INT64 Operand,
+ OUT INT32 *Result
+ );
+
+/**
+ INT64 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUint32 (
+ IN INT64 Operand,
+ OUT UINT32 *Result
+ );
+
+/**
+ INT64 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToIntn (
+ IN INT64 Operand,
+ OUT INTN *Result
+ );
+
+/**
+ INT64 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUintn (
+ IN INT64 Operand,
+ OUT UINTN *Result
+ );
+
+/**
+ INT64 -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUint64 (
+ IN INT64 Operand,
+ OUT UINT64 *Result
+ );
+
+/**
+ UINT64 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToInt8 (
+ IN UINT64 Operand,
+ OUT INT8 *Result
+ );
+
+/**
+ UINT64 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToChar8 (
+ IN UINT64 Operand,
+ OUT CHAR8 *Result
+ );
+
+/**
+ UINT64 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUint8 (
+ IN UINT64 Operand,
+ OUT UINT8 *Result
+ );
+
+/**
+ UINT64 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToInt16 (
+ IN UINT64 Operand,
+ OUT INT16 *Result
+ );
+
+/**
+ UINT64 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUint16 (
+ IN UINT64 Operand,
+ OUT UINT16 *Result
+ );
+
+/**
+ UINT64 -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToInt32 (
+ IN UINT64 Operand,
+ OUT INT32 *Result
+ );
+
+/**
+ UINT64 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUint32 (
+ IN UINT64 Operand,
+ OUT UINT32 *Result
+ );
+
+/**
+ UINT64 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToIntn (
+ IN UINT64 Operand,
+ OUT INTN *Result
+ );
+
+/**
+ UINT64 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUintn (
+ IN UINT64 Operand,
+ OUT UINTN *Result
+ );
+
+/**
+ UINT64 -> INT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToInt64 (
+ IN UINT64 Operand,
+ OUT INT64 *Result
+ );
+
+//
+// Addition functions
+//
+
+/**
+ UINT8 addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8Add (
+ IN UINT8 Augend,
+ IN UINT8 Addend,
+ OUT UINT8 *Result
+ );
+
+/**
+ UINT16 addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16Add (
+ IN UINT16 Augend,
+ IN UINT16 Addend,
+ OUT UINT16 *Result
+ );
+
+/**
+ UINT32 addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32Add (
+ IN UINT32 Augend,
+ IN UINT32 Addend,
+ OUT UINT32 *Result
+ );
+
+/**
+ UINTN addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnAdd (
+ IN UINTN Augend,
+ IN UINTN Addend,
+ OUT UINTN *Result
+ );
+
+/**
+ UINT64 addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64Add (
+ IN UINT64 Augend,
+ IN UINT64 Addend,
+ OUT UINT64 *Result
+ );
+
+//
+// Subtraction functions
+//
+
+/**
+ UINT8 subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8Sub (
+ IN UINT8 Minuend,
+ IN UINT8 Subtrahend,
+ OUT UINT8 *Result
+ );
+
+/**
+ UINT16 subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16Sub (
+ IN UINT16 Minuend,
+ IN UINT16 Subtrahend,
+ OUT UINT16 *Result
+ );
+
+/**
+ UINT32 subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32Sub (
+ IN UINT32 Minuend,
+ IN UINT32 Subtrahend,
+ OUT UINT32 *Result
+ );
+
+/**
+ UINTN subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnSub (
+ IN UINTN Minuend,
+ IN UINTN Subtrahend,
+ OUT UINTN *Result
+ );
+
+/**
+ UINT64 subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64Sub (
+ IN UINT64 Minuend,
+ IN UINT64 Subtrahend,
+ OUT UINT64 *Result
+ );
+
+//
+// Multiplication functions
+//
+
+/**
+ UINT8 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8Mult (
+ IN UINT8 Multiplicand,
+ IN UINT8 Multiplier,
+ OUT UINT8 *Result
+ );
+
+/**
+ UINT16 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16Mult (
+ IN UINT16 Multiplicand,
+ IN UINT16 Multiplier,
+ OUT UINT16 *Result
+ );
+
+/**
+ UINT32 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32Mult (
+ IN UINT32 Multiplicand,
+ IN UINT32 Multiplier,
+ OUT UINT32 *Result
+ );
+
+/**
+ UINTN multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnMult (
+ IN UINTN Multiplicand,
+ IN UINTN Multiplier,
+ OUT UINTN *Result
+ );
+
+/**
+ UINT64 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64Mult (
+ IN UINT64 Multiplicand,
+ IN UINT64 Multiplier,
+ OUT UINT64 *Result
+ );
+
+//
+// Signed operations
+//
+// Strongly consider using unsigned numbers.
+//
+// Signed numbers are often used where unsigned numbers should be used.
+// For example file sizes and array indices should always be unsigned.
+// Subtracting a larger positive signed number from a smaller positive
+// signed number with SafeInt32Sub will succeed, producing a negative number,
+// that then must not be used as an array index (but can occasionally be
+// used as a pointer index.) Similarly for adding a larger magnitude
+// negative number to a smaller magnitude positive number.
+//
+// This library does not protect you from such errors. It tells you if your
+// integer operations overflowed, not if you are doing the right thing
+// with your non-overflowed integers.
+//
+// Likewise you can overflow a buffer with a non-overflowed unsigned index.
+//
+
+//
+// Signed addition functions
+//
+
+/**
+ INT8 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8Add (
+ IN INT8 Augend,
+ IN INT8 Addend,
+ OUT INT8 *Result
+ );
+
+/**
+ CHAR8 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeChar8Add (
+ IN CHAR8 Augend,
+ IN CHAR8 Addend,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INT16 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16Add (
+ IN INT16 Augend,
+ IN INT16 Addend,
+ OUT INT16 *Result
+ );
+
+/**
+ INT32 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32Add (
+ IN INT32 Augend,
+ IN INT32 Addend,
+ OUT INT32 *Result
+ );
+
+/**
+ INTN Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnAdd (
+ IN INTN Augend,
+ IN INTN Addend,
+ OUT INTN *Result
+ );
+
+/**
+ INT64 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64Add (
+ IN INT64 Augend,
+ IN INT64 Addend,
+ OUT INT64 *Result
+ );
+
+//
+// Signed subtraction functions
+//
+
+/**
+ INT8 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8Sub (
+ IN INT8 Minuend,
+ IN INT8 Subtrahend,
+ OUT INT8 *Result
+ );
+
+/**
+ CHAR8 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeChar8Sub (
+ IN CHAR8 Minuend,
+ IN CHAR8 Subtrahend,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INT16 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16Sub (
+ IN INT16 Minuend,
+ IN INT16 Subtrahend,
+ OUT INT16 *Result
+ );
+
+/**
+ INT32 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32Sub (
+ IN INT32 Minuend,
+ IN INT32 Subtrahend,
+ OUT INT32 *Result
+ );
+
+/**
+ INTN Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnSub (
+ IN INTN Minuend,
+ IN INTN Subtrahend,
+ OUT INTN *Result
+ );
+
+/**
+ INT64 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64Sub (
+ IN INT64 Minuend,
+ IN INT64 Subtrahend,
+ OUT INT64 *Result
+ );
+
+//
+// Signed multiplication functions
+//
+
+/**
+ INT8 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8Mult (
+ IN INT8 Multiplicand,
+ IN INT8 Multiplier,
+ OUT INT8 *Result
+ );
+
+/**
+ CHAR8 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeChar8Mult (
+ IN CHAR8 Multiplicand,
+ IN CHAR8 Multiplier,
+ OUT CHAR8 *Result
+ );
+
+/**
+ INT16 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16Mult (
+ IN INT16 Multiplicand,
+ IN INT16 Multiplier,
+ OUT INT16 *Result
+ );
+
+/**
+ INT32 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32Mult (
+ IN INT32 Multiplicand,
+ IN INT32 Multiplier,
+ OUT INT32 *Result
+ );
+
+/**
+ INTN multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnMult (
+ IN INTN Multiplicand,
+ IN INTN Multiplier,
+ OUT INTN *Result
+ );
+
+/**
+ INT64 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64Mult (
+ IN INT64 Multiplicand,
+ IN INT64 Multiplier,
+ OUT INT64 *Result
+ );
+
+#endif // __INT_SAFE_LIB_H__
diff --git a/MdePkg/Include/X64/ProcessorBind.h b/MdePkg/Include/X64/ProcessorBind.h
index 705104af062a..6655a393d790 100644
--- a/MdePkg/Include/X64/ProcessorBind.h
+++ b/MdePkg/Include/X64/ProcessorBind.h
@@ -253,6 +253,11 @@ typedef INT64 INTN;
#define MAX_INTN ((INTN)0x7FFFFFFFFFFFFFFFULL)
#define MAX_UINTN ((UINTN)0xFFFFFFFFFFFFFFFFULL)
+///
+/// Minimum legal x64 INTN value.
+///
+#define MIN_INTN (((INTN)-9223372036854775807LL) - 1)
+
///
/// The stack alignment required for x64
///
diff --git a/MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf b/MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
new file mode 100644
index 000000000000..20a83ed97bca
--- /dev/null
+++ b/MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
@@ -0,0 +1,58 @@
+## @file
+# Safe Integer Library
+#
+# This library provides helper functions to prevent integer overflow during
+# type conversion, addition, subtraction, and multiplication.
+#
+# Copyright (c) 2017, Microsoft Corporation
+#
+# All rights reserved.
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 1. Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseSafeIntLib
+ FILE_GUID = 4EA91BFA-3482-4930-B136-70679C6CE489
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = SafeIntLib
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ SafeIntLib.c
+
+[Sources.Ia32, Sources.ARM]
+ SafeIntLib32.c
+
+[Sources.X64, Sources.IPF, Sources.AARCH64]
+ SafeIntLib64.c
+
+[Sources.EBC]
+ SafeIntLibEbc.c
+
+[Packages]
+ MdePkg/MdePkg.dec
diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
new file mode 100644
index 000000000000..d846160ba0d1
--- /dev/null
+++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
@@ -0,0 +1,4098 @@
+/** @file
+ This library provides helper functions to prevent integer overflow during
+ type conversion, addition, subtraction, and multiplication.
+
+ Copyright (c) 2017, Microsoft Corporation
+
+ All rights reserved.
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+**/
+
+#include <Base.h>
+#include <Library/SafeIntLib.h>
+
+
+//
+// Magnitude of MIN_INT64 as expressed by a UINT64 number.
+//
+#define MIN_INT64_MAGNITUDE ((((UINT64) - (MIN_INT64 + 1))) + 1)
+
+//
+// Conversion functions
+//
+// There are three reasons for having conversion functions:
+//
+// 1. We are converting from a signed type to an unsigned type of the same
+// size, or vice-versa.
+//
+// 2. We are converting to a smaller type, and we could therefore possibly
+// overflow.
+//
+// 3. We are converting to a bigger type, and we are signed and the type we are
+// converting to is unsigned.
+//
+
+/**
+ INT8 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUint8 (
+ IN INT8 Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT8 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToChar8 (
+ IN INT8 Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (CHAR8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT8 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUint16 (
+ IN INT8 Operand,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT8 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUint32 (
+ IN INT8 Operand,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT8 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUintn (
+ IN INT8 Operand,
+ OUT UINTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINTN)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT8 -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8ToUint64 (
+ IN INT8 Operand,
+ OUT UINT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT64)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT8 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8ToInt8 (
+ IN UINT8 Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT8 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8ToChar8 (
+ IN UINT8 Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (CHAR8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT16 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToInt8 (
+ IN INT16 Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= MIN_INT8) && (Operand <= MAX_INT8)) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT16 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToChar8 (
+ IN INT16 Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_INT8)) {
+ *Result = (CHAR8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT16 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUint8 (
+ IN INT16 Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_UINT8)) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT16 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUint16 (
+ IN INT16 Operand,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT16 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUint32 (
+ IN INT16 Operand,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT16 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUintn (
+ IN INT16 Operand,
+ OUT UINTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINTN)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT16 -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16ToUint64 (
+ IN INT16 Operand,
+ OUT UINT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT64)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT16 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16ToInt8 (
+ IN UINT16 Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT16 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16ToChar8 (
+ IN UINT16 Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT16 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16ToUint8 (
+ IN UINT16 Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_UINT8) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT16 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16ToInt16 (
+ IN UINT16 Operand,
+ OUT INT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT16) {
+ *Result = (INT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT32 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToInt8 (
+ IN INT32 Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= MIN_INT8) && (Operand <= MAX_INT8)) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT32 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToChar8 (
+ IN INT32 Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_INT8)) {
+ *Result = (CHAR8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT32 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUint8 (
+ IN INT32 Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_UINT8)) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT32 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToInt16 (
+ IN INT32 Operand,
+ OUT INT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= MIN_INT16) && (Operand <= MAX_INT16)) {
+ *Result = (INT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT32 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUint16 (
+ IN INT32 Operand,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_UINT16)) {
+ *Result = (UINT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT32 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUint32 (
+ IN INT32 Operand,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT32 -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUint64 (
+ IN INT32 Operand,
+ OUT UINT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT64)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT32 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToInt8 (
+ IN UINT32 Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT32 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToChar8 (
+ IN UINT32 Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT32 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToUint8 (
+ IN UINT32 Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_UINT8) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT32 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToInt16 (
+ IN UINT32 Operand,
+ OUT INT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT16) {
+ *Result = (INT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT32 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToUint16 (
+ IN UINT32 Operand,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_UINT16) {
+ *Result = (UINT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT32 -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToInt32 (
+ IN UINT32 Operand,
+ OUT INT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT32) {
+ *Result = (INT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INTN -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToInt8 (
+ IN INTN Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= MIN_INT8) && (Operand <= MAX_INT8)) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INTN -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToChar8 (
+ IN INTN Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_INT8)) {
+ *Result = (CHAR8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INTN -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint8 (
+ IN INTN Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_UINT8)) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INTN -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToInt16 (
+ IN INTN Operand,
+ OUT INT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= MIN_INT16) && (Operand <= MAX_INT16)) {
+ *Result = (INT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INTN -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint16 (
+ IN INTN Operand,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_UINT16)) {
+ *Result = (UINT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INTN -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUintn (
+ IN INTN Operand,
+ OUT UINTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINTN)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INTN -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint64 (
+ IN INTN Operand,
+ OUT UINT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT64)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt8 (
+ IN UINTN Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToChar8 (
+ IN UINTN Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToUint8 (
+ IN UINTN Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_UINT8) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt16 (
+ IN UINTN Operand,
+ OUT INT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT16) {
+ *Result = (INT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToUint16 (
+ IN UINTN Operand,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_UINT16) {
+ *Result = (UINT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt32 (
+ IN UINTN Operand,
+ OUT INT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT32) {
+ *Result = (INT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToIntn (
+ IN UINTN Operand,
+ OUT INTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INTN) {
+ *Result = (INTN)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT64 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToInt8 (
+ IN INT64 Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= MIN_INT8) && (Operand <= MAX_INT8)) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT64 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToChar8 (
+ IN INT64 Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_INT8)) {
+ *Result = (CHAR8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT64 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUint8 (
+ IN INT64 Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_UINT8)) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT64 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToInt16 (
+ IN INT64 Operand,
+ OUT INT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= MIN_INT16) && (Operand <= MAX_INT16)) {
+ *Result = (INT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT64 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUint16 (
+ IN INT64 Operand,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_UINT16)) {
+ *Result = (UINT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT64 -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToInt32 (
+ IN INT64 Operand,
+ OUT INT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= MIN_INT32) && (Operand <= MAX_INT32)) {
+ *Result = (INT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT64 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUint32 (
+ IN INT64 Operand,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Operand >= 0) && (Operand <= MAX_UINT32)) {
+ *Result = (UINT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ INT64 -> UINT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUint64 (
+ IN INT64 Operand,
+ OUT UINT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT64)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> INT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToInt8 (
+ IN UINT64 Operand,
+ OUT INT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> CHAR8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToChar8 (
+ IN UINT64 Operand,
+ OUT CHAR8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT8) {
+ *Result = (INT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = CHAR8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> UINT8 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUint8 (
+ IN UINT64 Operand,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_UINT8) {
+ *Result = (UINT8)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> INT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToInt16 (
+ IN UINT64 Operand,
+ OUT INT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT16) {
+ *Result = (INT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> UINT16 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUint16 (
+ IN UINT64 Operand,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_UINT16) {
+ *Result = (UINT16)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToInt32 (
+ IN UINT64 Operand,
+ OUT INT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT32) {
+ *Result = (INT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUint32 (
+ IN UINT64 Operand,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_UINT32) {
+ *Result = (UINT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToIntn (
+ IN UINT64 Operand,
+ OUT INTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INTN) {
+ *Result = (INTN)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 -> INT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToInt64 (
+ IN UINT64 Operand,
+ OUT INT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand <= MAX_INT64) {
+ *Result = (INT64)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = INT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+//
+// Addition functions
+//
+
+/**
+ UINT8 addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8Add (
+ IN UINT8 Augend,
+ IN UINT8 Addend,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (((UINT8)(Augend + Addend)) >= Augend) {
+ *Result = (UINT8)(Augend + Addend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT16 addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16Add (
+ IN UINT16 Augend,
+ IN UINT16 Addend,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (((UINT16)(Augend + Addend)) >= Augend) {
+ *Result = (UINT16)(Augend + Addend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT32 addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32Add (
+ IN UINT32 Augend,
+ IN UINT32 Addend,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Augend + Addend) >= Augend) {
+ *Result = (Augend + Addend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64Add (
+ IN UINT64 Augend,
+ IN UINT64 Addend,
+ OUT UINT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Augend + Addend) >= Augend) {
+ *Result = (Augend + Addend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+//
+// Subtraction functions
+//
+
+/**
+ UINT8 subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8Sub (
+ IN UINT8 Minuend,
+ IN UINT8 Subtrahend,
+ OUT UINT8 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Minuend >= Subtrahend) {
+ *Result = (UINT8)(Minuend - Subtrahend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT8_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT16 subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16Sub (
+ IN UINT16 Minuend,
+ IN UINT16 Subtrahend,
+ OUT UINT16 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Minuend >= Subtrahend) {
+ *Result = (UINT16)(Minuend - Subtrahend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT16_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT32 subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32Sub (
+ IN UINT32 Minuend,
+ IN UINT32 Subtrahend,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Minuend >= Subtrahend) {
+ *Result = (Minuend - Subtrahend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINT64 subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64Sub (
+ IN UINT64 Minuend,
+ IN UINT64 Subtrahend,
+ OUT UINT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Minuend >= Subtrahend) {
+ *Result = (Minuend - Subtrahend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+//
+// Multiplication functions
+//
+
+/**
+ UINT8 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint8Mult (
+ IN UINT8 Multiplicand,
+ IN UINT8 Multiplier,
+ OUT UINT8 *Result
+ )
+{
+ UINT32 IntermediateResult;
+
+ IntermediateResult = ((UINT32)Multiplicand) *((UINT32)Multiplier);
+
+ return SafeUint32ToUint8 (IntermediateResult, Result);
+}
+
+/**
+ UINT16 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint16Mult (
+ IN UINT16 Multiplicand,
+ IN UINT16 Multiplier,
+ OUT UINT16 *Result
+ )
+{
+ UINT32 IntermediateResult;
+
+ IntermediateResult = ((UINT32)Multiplicand) *((UINT32)Multiplier);
+
+ return SafeUint32ToUint16 (IntermediateResult, Result);
+}
+
+/**
+ UINT32 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32Mult (
+ IN UINT32 Multiplicand,
+ IN UINT32 Multiplier,
+ OUT UINT32 *Result
+ )
+{
+ UINT64 IntermediateResult;
+
+ IntermediateResult = ((UINT64) Multiplicand) *((UINT64) Multiplier);
+
+ return SafeUint64ToUint32 (IntermediateResult, Result);
+}
+
+/**
+ UINT64 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64Mult (
+ IN UINT64 Multiplicand,
+ IN UINT64 Multiplier,
+ OUT UINT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+ UINT32 DwordA;
+ UINT32 DwordB;
+ UINT32 DwordC;
+ UINT32 DwordD;
+ UINT64 ProductAD;
+ UINT64 ProductBC;
+ UINT64 ProductBD;
+ UINT64 UnsignedResult;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ ProductAD = 0;
+ ProductBC = 0;
+ ProductBD = 0;
+ UnsignedResult = 0;
+ Status = RETURN_BUFFER_TOO_SMALL;
+
+ //
+ // 64x64 into 128 is like 32.32 x 32.32.
+ //
+ // a.b * c.d = a*(c.d) + .b*(c.d) = a*c + a*.d + .b*c + .b*.d
+ // back in non-decimal notation where A=a*2^32 and C=c*2^32:
+ // A*C + A*d + b*C + b*d
+ // So there are four components to add together.
+ // result = (a*c*2^64) + (a*d*2^32) + (b*c*2^32) + (b*d)
+ //
+ // a * c must be 0 or there would be bits in the high 64-bits
+ // a * d must be less than 2^32 or there would be bits in the high 64-bits
+ // b * c must be less than 2^32 or there would be bits in the high 64-bits
+ // then there must be no overflow of the resulting values summed up.
+ //
+ DwordA = (UINT32)(Multiplicand >> 32);
+ DwordC = (UINT32)(Multiplier >> 32);
+
+ //
+ // common case -- if high dwords are both zero, no chance for overflow
+ //
+ if ((DwordA == 0) && (DwordC == 0)) {
+ DwordB = (UINT32)Multiplicand;
+ DwordD = (UINT32)Multiplier;
+
+ *Result = (((UINT64)DwordB) *(UINT64)DwordD);
+ Status = RETURN_SUCCESS;
+ } else {
+ //
+ // a * c must be 0 or there would be bits set in the high 64-bits
+ //
+ if ((DwordA == 0) ||
+ (DwordC == 0)) {
+ DwordD = (UINT32)Multiplier;
+
+ //
+ // a * d must be less than 2^32 or there would be bits set in the high 64-bits
+ //
+ ProductAD = (((UINT64)DwordA) *(UINT64)DwordD);
+ if ((ProductAD & 0xffffffff00000000) == 0) {
+ DwordB = (UINT32)Multiplicand;
+
+ //
+ // b * c must be less than 2^32 or there would be bits set in the high 64-bits
+ //
+ ProductBC = (((UINT64)DwordB) *(UINT64)DwordC);
+ if ((ProductBC & 0xffffffff00000000) == 0) {
+ //
+ // now sum them all up checking for overflow.
+ // shifting is safe because we already checked for overflow above
+ //
+ if (!RETURN_ERROR (SafeUint64Add (ProductBC << 32, ProductAD << 32, &UnsignedResult))) {
+ //
+ // b * d
+ //
+ ProductBD = (((UINT64)DwordB) *(UINT64)DwordD);
+
+ if (!RETURN_ERROR (SafeUint64Add (UnsignedResult, ProductBD, &UnsignedResult))) {
+ *Result = UnsignedResult;
+ Status = RETURN_SUCCESS;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ if (RETURN_ERROR (Status)) {
+ *Result = UINT64_ERROR;
+ }
+ return Status;
+}
+
+//
+// Signed operations
+//
+// Strongly consider using unsigned numbers.
+//
+// Signed numbers are often used where unsigned numbers should be used.
+// For example file sizes and array indices should always be unsigned.
+// Subtracting a larger positive signed number from a smaller positive
+// signed number with SafeInt32Sub will succeed, producing a negative number,
+// that then must not be used as an array index (but can occasionally be
+// used as a pointer index.) Similarly for adding a larger magnitude
+// negative number to a smaller magnitude positive number.
+//
+// This library does not protect you from such errors. It tells you if your
+// integer operations overflowed, not if you are doing the right thing
+// with your non-overflowed integers.
+//
+// Likewise you can overflow a buffer with a non-overflowed unsigned index.
+//
+
+//
+// Signed addition functions
+//
+
+/**
+ INT8 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8Add (
+ IN INT8 Augend,
+ IN INT8 Addend,
+ OUT INT8 *Result
+ )
+{
+ return SafeInt32ToInt8 (((INT32)Augend) + ((INT32)Addend), Result);
+}
+
+/**
+ CHAR8 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeChar8Add (
+ IN CHAR8 Augend,
+ IN CHAR8 Addend,
+ OUT CHAR8 *Result
+ )
+{
+ INT32 Augend32;
+ INT32 Addend32;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ Augend32 = (INT32)Augend;
+ Addend32 = (INT32)Addend;
+ if (Augend32 < 0 || Augend32 > MAX_INT8) {
+ *Result = CHAR8_ERROR;
+ return RETURN_BUFFER_TOO_SMALL;
+ }
+ if (Addend32 < 0 || Addend32 > MAX_INT8) {
+ *Result = CHAR8_ERROR;
+ return RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return SafeInt32ToChar8 (Augend32 + Addend32, Result);
+}
+
+/**
+ INT16 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16Add (
+ IN INT16 Augend,
+ IN INT16 Addend,
+ OUT INT16 *Result
+ )
+{
+ return SafeInt32ToInt16 (((INT32)Augend) + ((INT32)Addend), Result);
+}
+
+/**
+ INT32 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32Add (
+ IN INT32 Augend,
+ IN INT32 Addend,
+ OUT INT32 *Result
+ )
+{
+ return SafeInt64ToInt32 (((INT64)Augend) + ((INT64)Addend), Result);
+}
+
+/**
+ INT64 Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64Add (
+ IN INT64 Augend,
+ IN INT64 Addend,
+ OUT INT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+ INT64 SignedResult;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ SignedResult = Augend + Addend;
+
+ //
+ // Adding positive to negative never overflows.
+ // If you add two positive numbers, you expect a positive result.
+ // If you add two negative numbers, you expect a negative result.
+ // Overflow if inputs are the same sign and output is not that sign.
+ //
+ if (((Augend < 0) == (Addend < 0)) &&
+ ((Augend < 0) != (SignedResult < 0))) {
+ *Result = INT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ } else {
+ *Result = SignedResult;
+ Status = RETURN_SUCCESS;
+ }
+
+ return Status;
+}
+
+//
+// Signed subtraction functions
+//
+
+/**
+ INT8 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8Sub (
+ IN INT8 Minuend,
+ IN INT8 Subtrahend,
+ OUT INT8 *Result
+ )
+{
+ return SafeInt32ToInt8 (((INT32)Minuend) - ((INT32)Subtrahend), Result);
+}
+
+/**
+ CHAR8 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeChar8Sub (
+ IN CHAR8 Minuend,
+ IN CHAR8 Subtrahend,
+ OUT CHAR8 *Result
+ )
+{
+ INT32 Minuend32;
+ INT32 Subtrahend32;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ Minuend32 = (INT32)Minuend;
+ Subtrahend32 = (INT32)Subtrahend;
+ if (Minuend32 < 0 || Minuend32 > MAX_INT8) {
+ *Result = CHAR8_ERROR;
+ return RETURN_BUFFER_TOO_SMALL;
+ }
+ if (Subtrahend32 < 0 || Subtrahend32 > MAX_INT8) {
+ *Result = CHAR8_ERROR;
+ return RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return SafeInt32ToChar8 (Minuend32 - Subtrahend32, Result);
+}
+
+/**
+ INT16 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16Sub (
+ IN INT16 Minuend,
+ IN INT16 Subtrahend,
+ OUT INT16 *Result
+ )
+{
+ return SafeInt32ToInt16 (((INT32)Minuend) - ((INT32)Subtrahend), Result);
+}
+
+/**
+ INT32 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32Sub (
+ IN INT32 Minuend,
+ IN INT32 Subtrahend,
+ OUT INT32 *Result
+ )
+{
+ return SafeInt64ToInt32 (((INT64)Minuend) - ((INT64)Subtrahend), Result);
+}
+
+/**
+ INT64 Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64Sub (
+ IN INT64 Minuend,
+ IN INT64 Subtrahend,
+ OUT INT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+ INT64 SignedResult;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ SignedResult = Minuend - Subtrahend;
+
+ //
+ // Subtracting a positive number from a positive number never overflows.
+ // Subtracting a negative number from a negative number never overflows.
+ // If you subtract a negative number from a positive number, you expect a positive result.
+ // If you subtract a positive number from a negative number, you expect a negative result.
+ // Overflow if inputs vary in sign and the output does not have the same sign as the first input.
+ //
+ if (((Minuend < 0) != (Subtrahend < 0)) &&
+ ((Minuend < 0) != (SignedResult < 0))) {
+ *Result = INT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ } else {
+ *Result = SignedResult;
+ Status = RETURN_SUCCESS;
+ }
+
+ return Status;
+}
+
+//
+// Signed multiplication functions
+//
+
+/**
+ INT8 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt8Mult (
+ IN INT8 Multiplicand,
+ IN INT8 Multiplier,
+ OUT INT8 *Result
+ )
+{
+ return SafeInt32ToInt8 (((INT32)Multiplier) *((INT32)Multiplicand), Result);
+}
+
+/**
+ CHAR8 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeChar8Mult (
+ IN CHAR8 Multiplicand,
+ IN CHAR8 Multiplier,
+ OUT CHAR8 *Result
+ )
+{
+ INT32 Multiplicand32;
+ INT32 Multiplier32;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ Multiplicand32 = (INT32)Multiplicand;
+ Multiplier32 = (INT32)Multiplier;
+ if (Multiplicand32 < 0 || Multiplicand32 > MAX_INT8) {
+ *Result = CHAR8_ERROR;
+ return RETURN_BUFFER_TOO_SMALL;
+ }
+ if (Multiplier32 < 0 || Multiplier32 > MAX_INT8) {
+ *Result = CHAR8_ERROR;
+ return RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return SafeInt32ToChar8 (Multiplicand32 * Multiplier32, Result);
+}
+
+/**
+ INT16 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt16Mult (
+ IN INT16 Multiplicand,
+ IN INT16 Multiplier,
+ OUT INT16 *Result
+ )
+{
+ return SafeInt32ToInt16 (((INT32)Multiplicand) *((INT32)Multiplier), Result);
+}
+
+/**
+ INT32 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32Mult (
+ IN INT32 Multiplicand,
+ IN INT32 Multiplier,
+ OUT INT32 *Result
+ )
+{
+ return SafeInt64ToInt32 (((INT64)Multiplicand) *((INT64)Multiplier), Result);
+}
+
+/**
+ INT64 multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64Mult (
+ IN INT64 Multiplicand,
+ IN INT64 Multiplier,
+ OUT INT64 *Result
+ )
+{
+ RETURN_STATUS Status;
+ UINT64 UnsignedMultiplicand;
+ UINT64 UnsignedMultiplier;
+ UINT64 UnsignedResult;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ //
+ // Split into sign and magnitude, do unsigned operation, apply sign.
+ //
+ if (Multiplicand < 0) {
+ //
+ // Avoid negating the most negative number.
+ //
+ UnsignedMultiplicand = ((UINT64)(- (Multiplicand + 1))) + 1;
+ } else {
+ UnsignedMultiplicand = (UINT64)Multiplicand;
+ }
+
+ if (Multiplier < 0) {
+ //
+ // Avoid negating the most negative number.
+ //
+ UnsignedMultiplier = ((UINT64)(- (Multiplier + 1))) + 1;
+ } else {
+ UnsignedMultiplier = (UINT64)Multiplier;
+ }
+
+ Status = SafeUint64Mult (UnsignedMultiplicand, UnsignedMultiplier, &UnsignedResult);
+ if (!RETURN_ERROR (Status)) {
+ if ((Multiplicand < 0) != (Multiplier < 0)) {
+ if (UnsignedResult > MIN_INT64_MAGNITUDE) {
+ *Result = INT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ } else {
+ *Result = - ((INT64)UnsignedResult);
+ }
+ } else {
+ if (UnsignedResult > MAX_INT64) {
+ *Result = INT64_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ } else {
+ *Result = (INT64)UnsignedResult;
+ }
+ }
+ } else {
+ *Result = INT64_ERROR;
+ }
+ return Status;
+}
+
diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib32.c b/MdePkg/Library/BaseSafeIntLib/SafeIntLib32.c
new file mode 100644
index 000000000000..18bfb9e4130c
--- /dev/null
+++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib32.c
@@ -0,0 +1,554 @@
+/** @file
+ This library provides helper functions to prevent integer overflow during
+ type conversion, addition, subtraction, and multiplication.
+
+ Copyright (c) 2017, Microsoft Corporation
+
+ All rights reserved.
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+**/
+
+#include <Base.h>
+#include <Library/SafeIntLib.h>
+
+/**
+ INT32 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUintn (
+ IN INT32 Operand,
+ OUT UINTN *Result
+ )
+{
+ return SafeInt32ToUint32 (Operand, (UINT32 *)Result);
+}
+
+/**
+ UINT32 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToIntn (
+ IN UINT32 Operand,
+ OUT INTN *Result
+ )
+{
+ return SafeUint32ToInt32 (Operand, (INT32 *)Result);
+}
+
+/**
+ INTN -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToInt32 (
+ IN INTN Operand,
+ OUT INT32 *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ *Result = (INT32)Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ INTN -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint32 (
+ IN INTN Operand,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Operand >= 0) {
+ *Result = (UINT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToUint32 (
+ IN UINTN Operand,
+ OUT UINT32 *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ *Result = (UINT32)Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ UINTN -> INT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt64 (
+ IN UINTN Operand,
+ OUT INT64 *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ *Result = (INT64)Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ INT64 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToIntn (
+ IN INT64 Operand,
+ OUT INTN *Result
+ )
+{
+ return SafeInt64ToInt32 (Operand, (INT32 *)Result);
+}
+
+/**
+ INT64 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUintn (
+ IN INT64 Operand,
+ OUT UINTN *Result
+ )
+{
+ return SafeInt64ToUint32 (Operand, (UINT32 *)Result);
+}
+
+/**
+ UINT64 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUintn (
+ IN UINT64 Operand,
+ OUT UINTN *Result
+ )
+{
+ return SafeUint64ToUint32 ((UINT64) Operand, (UINT32 *)Result);
+}
+
+/**
+ UINTN addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnAdd (
+ IN UINTN Augend,
+ IN UINTN Addend,
+ OUT UINTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if ((Augend + Addend) >= Augend) {
+ *Result = (Augend + Addend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnSub (
+ IN UINTN Minuend,
+ IN UINTN Subtrahend,
+ OUT UINTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (Minuend >= Subtrahend) {
+ *Result = (Minuend - Subtrahend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+}
+
+/**
+ UINTN multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnMult (
+ IN UINTN Multiplicand,
+ IN UINTN Multiplier,
+ OUT UINTN *Result
+ )
+{
+ UINT64 IntermediateResult;
+
+ IntermediateResult = ((UINT64) Multiplicand) *((UINT64) Multiplier);
+
+ return SafeUint64ToUintn (IntermediateResult, Result);
+}
+
+/**
+ INTN Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnAdd (
+ IN INTN Augend,
+ IN INTN Addend,
+ OUT INTN *Result
+ )
+{
+ return SafeInt64ToIntn (((INT64)Augend) + ((INT64)Addend), Result);
+}
+
+/**
+ INTN Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnSub (
+ IN INTN Minuend,
+ IN INTN Subtrahend,
+ OUT INTN *Result
+ )
+{
+ return SafeInt64ToIntn (((INT64)Minuend) - ((INT64)Subtrahend), Result);
+}
+
+/**
+ INTN multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnMult (
+ IN INTN Multiplicand,
+ IN INTN Multiplier,
+ OUT INTN *Result
+ )
+{
+ return SafeInt64ToIntn (((INT64)Multiplicand) *((INT64)Multiplier), Result);
+}
+
diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib64.c b/MdePkg/Library/BaseSafeIntLib/SafeIntLib64.c
new file mode 100644
index 000000000000..b423c5cc1bdc
--- /dev/null
+++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib64.c
@@ -0,0 +1,508 @@
+/** @file
+ This library provides helper functions to prevent integer overflow during
+ type conversion, addition, subtraction, and multiplication.
+
+ Copyright (c) 2017, Microsoft Corporation
+
+ All rights reserved.
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+**/
+
+#include <Base.h>
+#include <Library/SafeIntLib.h>
+
+/**
+ INT32 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUintn (
+ IN INT32 Operand,
+ OUT UINTN *Result
+ )
+{
+ return SafeInt32ToUint64 (Operand, (UINT64 *) Result);
+}
+
+/**
+ UINT32 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToIntn (
+ IN UINT32 Operand,
+ OUT INTN *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ *Result = Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ INTN -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToInt32 (
+ IN INTN Operand,
+ OUT INT32 *Result
+ )
+{
+ return SafeInt64ToInt32 ((INT64) Operand, Result);
+}
+
+/**
+ INTN -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint32 (
+ IN INTN Operand,
+ OUT UINT32 *Result
+ )
+{
+ return SafeInt64ToUint32 ((INT64)Operand, Result);
+}
+
+/**
+ UINTN -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToUint32 (
+ IN UINTN Operand,
+ OUT UINT32 *Result
+ )
+{
+ return SafeUint64ToUint32 ((UINT64)Operand, Result);
+}
+
+/**
+ UINTN -> INT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt64 (
+ IN UINTN Operand,
+ OUT INT64 *Result
+ )
+{
+ return SafeUint64ToInt64 ((UINT64)Operand, Result);
+}
+
+/**
+ INT64 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToIntn (
+ IN INT64 Operand,
+ OUT INTN *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ *Result = (INTN)Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ INT64 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUintn (
+ IN INT64 Operand,
+ OUT UINTN *Result
+ )
+{
+ return SafeInt64ToUint64 (Operand, (UINT64 *)Result);
+}
+
+/**
+ UINT64 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUintn (
+ IN UINT64 Operand,
+ OUT UINTN *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ *Result = Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ UINTN addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnAdd (
+ IN UINTN Augend,
+ IN UINTN Addend,
+ OUT UINTN *Result
+ )
+{
+ return SafeUint64Add ((UINT64)Augend, (UINT64)Addend, (UINT64 *)Result);
+}
+
+/**
+ UINTN subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnSub (
+ IN UINTN Minuend,
+ IN UINTN Subtrahend,
+ OUT UINTN *Result
+ )
+{
+ return SafeUint64Sub ((UINT64)Minuend, (UINT64)Subtrahend, (UINT64 *)Result);
+}
+
+/**
+ UINTN multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnMult (
+ IN UINTN Multiplicand,
+ IN UINTN Multiplier,
+ OUT UINTN *Result
+ )
+{
+ return SafeUint64Mult ((UINT64)Multiplicand, (UINT64)Multiplier, (UINT64 *)Result);
+}
+
+/**
+ INTN Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnAdd (
+ IN INTN Augend,
+ IN INTN Addend,
+ OUT INTN *Result
+ )
+{
+ return SafeInt64Add ((INT64)Augend, (INT64)Addend, (INT64 *)Result);
+}
+
+/**
+ INTN Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnSub (
+ IN INTN Minuend,
+ IN INTN Subtrahend,
+ OUT INTN *Result
+ )
+{
+ return SafeInt64Sub ((INT64)Minuend, (INT64)Subtrahend, (INT64 *)Result);
+}
+
+/**
+ INTN multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnMult (
+ IN INTN Multiplicand,
+ IN INTN Multiplier,
+ OUT INTN *Result
+ )
+{
+ return SafeInt64Mult ((INT64)Multiplicand, (INT64)Multiplier, (INT64 *)Result);
+}
+
diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLibEbc.c b/MdePkg/Library/BaseSafeIntLib/SafeIntLibEbc.c
new file mode 100644
index 000000000000..4478957b7e33
--- /dev/null
+++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLibEbc.c
@@ -0,0 +1,614 @@
+/** @file
+ This library provides helper functions to prevent integer overflow during
+ type conversion, addition, subtraction, and multiplication.
+
+ Copyright (c) 2017, Microsoft Corporation
+
+ All rights reserved.
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+**/
+
+#include <Base.h>
+#include <Library/SafeIntLib.h>
+
+/**
+ INT32 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt32ToUintn (
+ IN INT32 Operand,
+ OUT UINTN *Result
+ )
+{
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ return SafeInt32ToUint32 (Operand, (UINT32 *)Result);
+ }
+ return SafeInt32ToUint64 (Operand, (UINT64 *) Result);
+}
+
+/**
+ UINT32 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint32ToIntn (
+ IN UINT32 Operand,
+ OUT INTN *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ return SafeUint32ToInt32 (Operand, (INT32 *)Result);
+ }
+ *Result = Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ INTN -> INT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToInt32 (
+ IN INTN Operand,
+ OUT INT32 *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ *Result = (INT32)Operand;
+ return RETURN_SUCCESS;
+ }
+ return SafeInt64ToInt32 ((INT64) Operand, Result);
+}
+
+/**
+ INTN -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnToUint32 (
+ IN INTN Operand,
+ OUT UINT32 *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ if (Operand >= 0) {
+ *Result = (UINT32)Operand;
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINT32_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+ }
+ return SafeInt64ToUint32 ((INT64)Operand, Result);
+}
+
+/**
+ UINTN -> UINT32 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToUint32 (
+ IN UINTN Operand,
+ OUT UINT32 *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ *Result = (UINT32)Operand;
+ return RETURN_SUCCESS;
+ }
+ return SafeUint64ToUint32 ((UINT64)Operand, Result);
+}
+
+/**
+ UINTN -> INT64 conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnToInt64 (
+ IN UINTN Operand,
+ OUT INT64 *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ *Result = (INT64)Operand;
+ return RETURN_SUCCESS;
+ }
+ return SafeUint64ToInt64 ((UINT64)Operand, Result);
+}
+
+/**
+ INT64 -> INTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToIntn (
+ IN INT64 Operand,
+ OUT INTN *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ return SafeInt64ToInt32 (Operand, (INT32 *)Result);
+ }
+ *Result = (INTN)Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ INT64 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeInt64ToUintn (
+ IN INT64 Operand,
+ OUT UINTN *Result
+ )
+{
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ return SafeInt64ToUint32 (Operand, (UINT32 *)Result);
+ }
+ return SafeInt64ToUint64 (Operand, (UINT64 *)Result);
+}
+
+/**
+ UINT64 -> UINTN conversion
+
+ Converts the value specified by Operand to a value specified by Result type
+ and stores the converted value into the caller allocated output buffer
+ specified by Result. The caller must pass in a Result buffer that is at
+ least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the conversion results in an overflow or an underflow condition, then
+ Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Operand Operand to be converted to new type
+ @param[out] Result Pointer to the result of conversion
+
+ @retval RETURN_SUCCESS Successful conversion
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUint64ToUintn (
+ IN UINT64 Operand,
+ OUT UINTN *Result
+ )
+{
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ return SafeUint64ToUint32 ((UINT64) Operand, (UINT32 *)Result);
+ }
+ *Result = Operand;
+ return RETURN_SUCCESS;
+}
+
+/**
+ UINTN addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnAdd (
+ IN UINTN Augend,
+ IN UINTN Addend,
+ OUT UINTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ if ((UINT32)(Augend + Addend) >= Augend) {
+ *Result = (Augend + Addend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+ }
+ return SafeUint64Add ((UINT64)Augend, (UINT64)Addend, (UINT64 *)Result);
+}
+
+/**
+ UINTN subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnSub (
+ IN UINTN Minuend,
+ IN UINTN Subtrahend,
+ OUT UINTN *Result
+ )
+{
+ RETURN_STATUS Status;
+
+ if (Result == NULL) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ if (Minuend >= Subtrahend) {
+ *Result = (Minuend - Subtrahend);
+ Status = RETURN_SUCCESS;
+ } else {
+ *Result = UINTN_ERROR;
+ Status = RETURN_BUFFER_TOO_SMALL;
+ }
+
+ return Status;
+ }
+ return SafeUint64Sub ((UINT64)Minuend, (UINT64)Subtrahend, (UINT64 *)Result);
+}
+
+/**
+ UINTN multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeUintnMult (
+ IN UINTN Multiplicand,
+ IN UINTN Multiplier,
+ OUT UINTN *Result
+ )
+{
+ UINT64 IntermediateResult;
+
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ IntermediateResult = ((UINT64) Multiplicand) *((UINT64) Multiplier);
+
+ return SafeUint64ToUintn (IntermediateResult, Result);
+ }
+ return SafeUint64Mult ((UINT64)Multiplicand, (UINT64)Multiplier, (UINT64 *)Result);
+}
+
+/**
+ INTN Addition
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Augend A number to which addend will be added
+ @param[in] Addend A number to be added to another
+ @param[out] Result Pointer to the result of addition
+
+ @retval RETURN_SUCCESS Successful addition
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnAdd (
+ IN INTN Augend,
+ IN INTN Addend,
+ OUT INTN *Result
+ )
+{
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ return SafeInt64ToIntn (((INT64)Augend) + ((INT64)Addend), Result);
+ }
+ return SafeInt64Add ((INT64)Augend, (INT64)Addend, (INT64 *)Result);
+}
+
+/**
+ INTN Subtraction
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Minuend A number from which another is to be subtracted.
+ @param[in] Subtrahend A number to be subtracted from another
+ @param[out] Result Pointer to the result of subtraction
+
+ @retval RETURN_SUCCESS Successful subtraction
+ @retval RETURN_BUFFER_TOO_SMALL Underflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnSub (
+ IN INTN Minuend,
+ IN INTN Subtrahend,
+ OUT INTN *Result
+ )
+{
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ return SafeInt64ToIntn (((INT64)Minuend) - ((INT64)Subtrahend), Result);
+ }
+ return SafeInt64Sub ((INT64)Minuend, (INT64)Subtrahend, (INT64 *)Result);
+}
+
+/**
+ INTN multiplication
+
+ Performs the requested operation using the input parameters into a value
+ specified by Result type and stores the converted value into the caller
+ allocated output buffer specified by Result. The caller must pass in a
+ Result buffer that is at least as large as the Result type.
+
+ If Result is NULL, RETURN_INVALID_PARAMETER is returned.
+
+ If the requested operation results in an overflow or an underflow condition,
+ then Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
+
+ @param[in] Multiplicand A number that is to be multiplied by another
+ @param[in] Multiplier A number by which the multiplicand is to be multiplied
+ @param[out] Result Pointer to the result of multiplication
+
+ @retval RETURN_SUCCESS Successful multiplication
+ @retval RETURN_BUFFER_TOO_SMALL Overflow
+ @retval RETURN_INVALID_PARAMETER Result is NULL
+**/
+RETURN_STATUS
+EFIAPI
+SafeIntnMult (
+ IN INTN Multiplicand,
+ IN INTN Multiplier,
+ OUT INTN *Result
+ )
+{
+ if (sizeof (UINTN) == sizeof (UINT32)) {
+ return SafeInt64ToIntn (((INT64)Multiplicand) *((INT64)Multiplier), Result);
+ }
+ return SafeInt64Mult ((INT64)Multiplicand, (INT64)Multiplier, (INT64 *)Result);
+}
+
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 458d56803849..d945edcdb446 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -233,6 +233,11 @@ [LibraryClasses]
## @libraryclass provides EFI_FILE_HANDLE services
FileHandleLib|Include/Library/FileHandleLib.h
+ ## @libraryclass provides helper functions to prevent integer overflow during
+ # type conversion, addition, subtraction, and multiplication.
+ ##
+ SafeIntLib|Include/Library/SafeIntLib.h
+
[LibraryClasses.IA32, LibraryClasses.X64]
## @libraryclass Abstracts both S/W SMI generation and detection.
##
diff --git a/MdePkg/MdePkg.dsc b/MdePkg/MdePkg.dsc
index 7fe9e6bb4ae9..353e903270dd 100644
--- a/MdePkg/MdePkg.dsc
+++ b/MdePkg/MdePkg.dsc
@@ -82,6 +82,7 @@ [Components]
MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.inf
MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
+ MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
--
2.31.1
From 3ac7c823f75dd7d8f98496166becb95dd92e6149 Mon Sep 17 00:00:00 2001
From: Liming Gao <liming.gao@intel.com>
Date: Wed, 31 Jan 2018 20:27:10 +0800
Subject: [PATCH 02/18] MdePkg SafeIntLib: Update API definition to use the
same output name
In SafeUintnToChar8(), update its output parameter name.
Update pui8Result --> Result to match its library implementation
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 93efab6d9a8e2278631752fad934425de0a6337a)
---
MdePkg/Include/Library/SafeIntLib.h | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/MdePkg/Include/Library/SafeIntLib.h b/MdePkg/Include/Library/SafeIntLib.h
index 583930195a61..8c5003f67838 100644
--- a/MdePkg/Include/Library/SafeIntLib.h
+++ b/MdePkg/Include/Library/SafeIntLib.h
@@ -375,7 +375,7 @@ RETURN_STATUS
EFIAPI
SafeInt16ToUint8 (
IN INT16 Operand,
- OUT UINT8 *pui8Result
+ OUT UINT8 *Result
);
/**
@@ -564,7 +564,7 @@ RETURN_STATUS
EFIAPI
SafeUint16ToUint8 (
IN UINT16 Operand,
- OUT UINT8 *pui8Result
+ OUT UINT8 *Result
);
/**
@@ -672,7 +672,7 @@ RETURN_STATUS
EFIAPI
SafeInt32ToUint8 (
IN INT32 Operand,
- OUT UINT8 *pui8Result
+ OUT UINT8 *Result
);
/**
@@ -889,7 +889,7 @@ RETURN_STATUS
EFIAPI
SafeUint32ToUint8 (
IN UINT32 Operand,
- OUT UINT8 *pui8Result
+ OUT UINT8 *Result
);
/**
@@ -1078,7 +1078,7 @@ RETURN_STATUS
EFIAPI
SafeIntnToUint8 (
IN INTN Operand,
- OUT UINT8 *pui8Result
+ OUT UINT8 *Result
);
/**
@@ -1321,7 +1321,7 @@ RETURN_STATUS
EFIAPI
SafeUintnToUint8 (
IN UINTN Operand,
- OUT UINT8 *pui8Result
+ OUT UINT8 *Result
);
/**
--
2.31.1
From 197d320d77d05887d76bbc901adda7e62011ef68 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 15 Feb 2018 14:47:11 +0100
Subject: [PATCH 03/18] MdePkg/BaseSafeIntLib: fix undefined behavior in
SafeInt64Sub()
The subtraction in the assignment
SignedResult = Minuend - Subtrahend;
is performed with unchecked INT64 operands. According to ISO C, if the
mathematical result of signed integer subtraction cannot be represented in
the result type, the behavior is undefined. (Refer to ISO C99 6.5p5.
6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply
because it treats the conversion of integers that have been successfully
evaluated first.)
Replace the after-the-fact result checking with checks on the operands,
and only perform the subtraction if it is safe.
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
(cherry picked from commit 54c7728a04658b09ea1a50b9e35e838fde166003)
---
MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 50 +++++++++++++++++-----
1 file changed, 39 insertions(+), 11 deletions(-)
diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
index d846160ba0d1..8e857927b067 100644
--- a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
+++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
@@ -3837,27 +3837,55 @@ SafeInt64Sub (
)
{
RETURN_STATUS Status;
- INT64 SignedResult;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
- SignedResult = Minuend - Subtrahend;
-
//
- // Subtracting a positive number from a positive number never overflows.
- // Subtracting a negative number from a negative number never overflows.
- // If you subtract a negative number from a positive number, you expect a positive result.
- // If you subtract a positive number from a negative number, you expect a negative result.
- // Overflow if inputs vary in sign and the output does not have the same sign as the first input.
+ // * A Subtrahend of zero can never cause underflow or overflow.
//
- if (((Minuend < 0) != (Subtrahend < 0)) &&
- ((Minuend < 0) != (SignedResult < 0))) {
+ // * A positive Subtrahend can only cause underflow. The underflow condition
+ // is:
+ //
+ // (Minuend - Subtrahend) < MIN_INT64
+ //
+ // Adding Subtrahend to both sides yields
+ //
+ // Minuend < (MIN_INT64 + Subtrahend)
+ //
+ // This condition can be coded directly in C because the RHS will neither
+ // underflow nor overflow. That is due to the starting condition:
+ //
+ // 0 < Subtrahend <= MAX_INT64
+ //
+ // Adding MIN_INT64 to all three sides yields
+ //
+ // MIN_INT64 < (MIN_INT64 + Subtrahend) <= (MIN_INT64 + MAX_INT64) = -1
+ //
+ // * A negative Subtrahend can only cause overflow. The overflow condition is
+ //
+ // (Minuend - Subtrahend) > MAX_INT64
+ //
+ // Adding Subtrahend to both sides yields
+ //
+ // Minuend > (MAX_INT64 + Subtrahend)
+ //
+ // This condition can be coded directly in C because the RHS will neither
+ // underflow nor overflow. That is due to the starting condition:
+ //
+ // MIN_INT64 <= Subtrahend < 0
+ //
+ // Adding MAX_INT64 to all three sides yields
+ //
+ // -1 = (MAX_INT64 + MIN_INT64) <= (MAX_INT64 + Subtrahend) < MAX_INT64
+ //
+ if (((Subtrahend > 0) && (Minuend < (MIN_INT64 + Subtrahend))) ||
+ ((Subtrahend < 0) && (Minuend > (MAX_INT64 + Subtrahend)))) {
*Result = INT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
} else {
- *Result = SignedResult;
+ *Result = Minuend - Subtrahend;
Status = RETURN_SUCCESS;
}
--
2.31.1
From da291431c2cf0d8a724800920d377d0b074d9660 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 15 Feb 2018 14:47:11 +0100
Subject: [PATCH 04/18] MdePkg/BaseSafeIntLib: fix undefined behavior in
SafeInt64Add()
The addition in the assignment
SignedResult = Augend + Addend;
is performed with unchecked INT64 operands. According to ISO C, if the
mathematical result of signed integer addition cannot be represented in
the result type, the behavior is undefined. (Refer to ISO C99 6.5p5.
6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply
because it treats the conversion of integers that have been successfully
evaluated first.)
Replace the after-the-fact result checking with checks on the operands,
and only perform the addition if it is safe.
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
(cherry picked from commit 41bfaffd13094d9042110091e6c37adf20c4032c)
---
MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 56 ++++++++++++++++++----
1 file changed, 46 insertions(+), 10 deletions(-)
diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
index 8e857927b067..56d97cf65601 100644
--- a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
+++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
@@ -3631,26 +3631,62 @@ SafeInt64Add (
)
{
RETURN_STATUS Status;
- INT64 SignedResult;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
- SignedResult = Augend + Addend;
-
//
- // Adding positive to negative never overflows.
- // If you add two positive numbers, you expect a positive result.
- // If you add two negative numbers, you expect a negative result.
- // Overflow if inputs are the same sign and output is not that sign.
+ // * An Addend of zero can never cause underflow or overflow.
//
- if (((Augend < 0) == (Addend < 0)) &&
- ((Augend < 0) != (SignedResult < 0))) {
+ // * A positive Addend can only cause overflow. The overflow condition is
+ //
+ // (Augend + Addend) > MAX_INT64
+ //
+ // Subtracting Addend from both sides yields
+ //
+ // Augend > (MAX_INT64 - Addend)
+ //
+ // This condition can be coded directly in C because the RHS will neither
+ // underflow nor overflow. That is due to the starting condition:
+ //
+ // 0 < Addend <= MAX_INT64
+ //
+ // Multiplying all three sides by (-1) yields
+ //
+ // 0 > (-Addend) >= (-MAX_INT64)
+ //
+ // Adding MAX_INT64 to all three sides yields
+ //
+ // MAX_INT64 > (MAX_INT64 - Addend) >= 0
+ //
+ // * A negative Addend can only cause underflow. The underflow condition is
+ //
+ // (Augend + Addend) < MIN_INT64
+ //
+ // Subtracting Addend from both sides yields
+ //
+ // Augend < (MIN_INT64 - Addend)
+ //
+ // This condition can be coded directly in C because the RHS will neither
+ // underflow nor overflow. That is due to the starting condition:
+ //
+ // MIN_INT64 <= Addend < 0
+ //
+ // Multiplying all three sides by (-1) yields
+ //
+ // (-MIN_INT64) >= (-Addend) > 0
+ //
+ // Adding MIN_INT64 to all three sides yields
+ //
+ // 0 >= (MIN_INT64 - Addend) > MIN_INT64
+ //
+ if (((Addend > 0) && (Augend > (MAX_INT64 - Addend))) ||
+ ((Addend < 0) && (Augend < (MIN_INT64 - Addend)))) {
*Result = INT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
} else {
- *Result = SignedResult;
+ *Result = Augend + Addend;
Status = RETURN_SUCCESS;
}
--
2.31.1
From e273c1a072d5706e7fd1f7fcec9a761927e4ee4a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 15 Feb 2018 17:09:43 +0100
Subject: [PATCH 05/18] MdePkg/BaseSafeIntLib: clean up parentheses in
MIN_INT64_MAGNITUDE
The definition of the MIN_INT64_MAGNITUDE macro is correct, but it's
harder to read than necessary: the sub-expression
(( (UINT64) - (MIN_INT64 + 1) ))
is doubly parenthesized. Reusing one pair of the outer parens, rewrite the
sub-expression (without change in meaning) so that the minus sign cannot
be mistaken for subtraction:
( (UINT64)(- (MIN_INT64 + 1)) )
The resultant macro definition matches the following expressions in
SafeInt64Mult():
> //
> // Avoid negating the most negative number.
> //
> UnsignedMultiplicand = ((UINT64)(- (Multiplicand + 1))) + 1;
and
> //
> // Avoid negating the most negative number.
> //
> UnsignedMultiplier = ((UINT64)(- (Multiplier + 1))) + 1;
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
(cherry picked from commit 8c33cc0ec926b17396fcd71686c727b991984d4a)
---
MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
index 56d97cf65601..de91ffeca2a5 100644
--- a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
+++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
@@ -33,7 +33,7 @@
//
// Magnitude of MIN_INT64 as expressed by a UINT64 number.
//
-#define MIN_INT64_MAGNITUDE ((((UINT64) - (MIN_INT64 + 1))) + 1)
+#define MIN_INT64_MAGNITUDE (((UINT64)(- (MIN_INT64 + 1))) + 1)
//
// Conversion functions
--
2.31.1
From f3d3a7c32b0f46a3f641e57da2529321b5e1722d Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 15 Feb 2018 17:09:43 +0100
Subject: [PATCH 06/18] MdePkg/BaseSafeIntLib: fix undefined behavior in
SafeInt64Mult()
If we have to negate UnsignedResult (due to exactly one of Multiplicand
and Multiplier being negative), and UnsignedResult is exactly
MIN_INT64_MAGNITUDE (value 2^63), then the statement
*Result = - ((INT64)UnsignedResult);
invokes both implementation-defined behavior and undefined behavior.
First, MIN_INT64_MAGNITUDE is not representable as INT64, therefore the
result of the (inner) conversion
(INT64)MIN_INT64_MAGNITUDE
is implementation-defined, or an implementation-defined signal is raised,
according to ISO C99 6.3.1.3p3.
Second, if we assume that the C language implementation defines the
conversion to INT64 simply as reinterpreting the bit pattern
0x8000_0000_0000_0000 as a signed integer in two's complement
representation, then the conversion immediately produces the negative
value MIN_INT64 (value -(2^63)). In turn, the (outer) negation
-(MIN_INT64)
invokes undefined behavior, because the mathematical result of the
negation, namely 2^63, cannot be represented in an INT64 object. (Not even
mentioning the fact that the mathematical result would be incorrect.) In
practice, the undefined negation of MIN_INT64 happens to produce an
unchanged, valid-looking result on x86, i.e. (-(MIN_INT64)) == MIN_INT64.
We can summarize this as the undefined -- effectless -- negation canceling
out the botched -- auto-negating -- implementation-defined conversion.
Instead of relying on such behavior, dedicate a branch to this situation:
assign MIN_INT64 directly. The branch can be triggered e.g. by multiplying
(2^62) by (-2).
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
(cherry picked from commit 75505d161133cbeb57185b567d7b05756d255a3f)
---
MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
index de91ffeca2a5..c5f13d7e0828 100644
--- a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
+++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c
@@ -4143,6 +4143,8 @@ SafeInt64Mult (
if (UnsignedResult > MIN_INT64_MAGNITUDE) {
*Result = INT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
+ } else if (UnsignedResult == MIN_INT64_MAGNITUDE) {
+ *Result = MIN_INT64;
} else {
*Result = - ((INT64)UnsignedResult);
}
--
2.31.1
From b9cab2eb46b1d11fd71b410dad21cc9152630d0b Mon Sep 17 00:00:00 2001
From: Jiaxin Wu <jiaxin.wu@intel.com>
Date: Fri, 4 May 2018 11:48:43 +0800
Subject: [PATCH 07/18] NetworkPkg/NetworkPkg.dsc: Add the instance of library
class [SafeIntLib].
This patch is to add the instance of library class [SafeIntLib] to fix the
NetworkPkg build error, which is caused by the commit of 2167c7f7 that the
TlsLib will always consume SafeIntLib.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
(cherry picked from commit e9b4a4625c35f74824f05a2d846977756f7dd2a0)
---
NetworkPkg/NetworkPkg.dsc | 1 +
1 file changed, 1 insertion(+)
diff --git a/NetworkPkg/NetworkPkg.dsc b/NetworkPkg/NetworkPkg.dsc
index 3c809d5009ed..b3bfbb6664d9 100644
--- a/NetworkPkg/NetworkPkg.dsc
+++ b/NetworkPkg/NetworkPkg.dsc
@@ -45,6 +45,7 @@ [LibraryClasses]
PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf
DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
DpcLib|MdeModulePkg/Library/DxeDpcLib/DxeDpcLib.inf
NetLib|MdeModulePkg/Library/DxeNetLib/DxeNetLib.inf
--
2.31.1
From d225668d68ae389c6a1d571b05d0d05f0ce2e6bf Mon Sep 17 00:00:00 2001
From: Michael D Kinney <michael.d.kinney@intel.com>
Date: Fri, 29 Dec 2017 18:59:21 -0800
Subject: [PATCH 08/18] OvmfPkg: Add SafeIntLib and BmpSupportLib to DSC files
https://bugzilla.tianocore.org/show_bug.cgi?id=800
Based on content from the following branch/commits:
https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport
https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d
https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61
https://github.com/Microsoft/MS_UEFI/commit/2b9f111f2e74a4c2ef4c4e32379e111f016dbd9b
The BootGraphicsResourceTableDxe module uses the BmpSupportLib
and SafeIntLib to convert a GOP BLT buffer to a BMP graphics image.
Add library mappings for these new library classes.
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Bret Barkelew <Bret.Barkelew@microsoft.com>
(cherry picked from commit 7fc21c29e84b018898299e93cc2052fa5ad9bab0)
NOTE from Gary:
Remove importing of BmpSupportLib since we only need SafeIntLib for
bsc#1186151
---
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
3 files changed, 3 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index c874134c06a7..85447920a906 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -68,6 +68,7 @@ [LibraryClasses]
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLibRepStr/BaseMemoryLibRepStr.inf
BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
CpuLib|MdePkg/Library/BaseCpuLib/BaseCpuLib.inf
PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 369da816d65d..d82a4a9466c9 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -73,6 +73,7 @@ [LibraryClasses]
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLibRepStr/BaseMemoryLibRepStr.inf
BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
CpuLib|MdePkg/Library/BaseCpuLib/BaseCpuLib.inf
PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 518e648bc9c3..dfc6b43fd51e 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -73,6 +73,7 @@ [LibraryClasses]
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLibRepStr/BaseMemoryLibRepStr.inf
BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
CpuLib|MdePkg/Library/BaseCpuLib/BaseCpuLib.inf
PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf
--
2.31.1
From a92142c9307edbea6f5382324fe9cfba61b0a45a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 26 Apr 2021 19:05:20 +0200
Subject: [PATCH 09/18] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80
characters
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Working with overlong lines is difficult for me; rewrap the CHAP-related
source files in IScsiDxe to 80 characters width. No functional changes.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++--------
NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +-
2 files changed, 71 insertions(+), 22 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index 18c49b952f56..5f045b07851c 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -1,5 +1,6 @@
/** @file
- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.
+ This file is for Challenge-Handshake Authentication Protocol (CHAP)
+ Configuration.
Copyright (c) 2004 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
@@ -24,9 +25,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@param[in] ChallengeLength The length of iSCSI CHAP challenge message.
@param[out] ChapResponse The calculation of the expected hash value.
- @retval EFI_SUCCESS The expected hash value was calculatedly successfully.
- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the
- length of the hash value for the hashing algorithm chosen.
+ @retval EFI_SUCCESS The expected hash value was calculatedly
+ successfully.
+ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least
+ the length of the hash value for the hashing
+ algorithm chosen.
@retval EFI_PROTOCOL_ERROR MD5 hash operation fail.
@retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5.
@@ -100,8 +103,10 @@ Exit:
@param[in] AuthData iSCSI CHAP authentication data.
@param[in] TargetResponse The response from target.
- @retval EFI_SUCCESS The response from target passed authentication.
- @retval EFI_SECURITY_VIOLATION The response from target was not expected value.
+ @retval EFI_SUCCESS The response from target passed
+ authentication.
+ @retval EFI_SECURITY_VIOLATION The response from target was not expected
+ value.
@retval Others Other errors as indicated.
**/
@@ -199,7 +204,10 @@ IScsiCHAPOnRspReceived (
//
// The first Login Response.
//
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);
+ Value = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG
+ );
if (Value == NULL) {
goto ON_EXIT;
}
@@ -211,13 +219,17 @@ IScsiCHAPOnRspReceived (
Session->TargetPortalGroupTag = (UINT16) Result;
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);
+ Value = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_AUTH_METHOD
+ );
if (Value == NULL) {
goto ON_EXIT;
}
//
- // Initiator mandates CHAP authentication but target replies without "CHAP", or
- // initiator suggets "None" but target replies with some kind of auth method.
+ // Initiator mandates CHAP authentication but target replies without
+ // "CHAP", or initiator suggets "None" but target replies with some kind of
+ // auth method.
//
if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {
if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {
@@ -242,7 +254,10 @@ IScsiCHAPOnRspReceived (
//
// The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
//
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);
+ Value = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_CHAP_ALGORITHM
+ );
if (Value == NULL) {
goto ON_EXIT;
}
@@ -255,12 +270,18 @@ IScsiCHAPOnRspReceived (
goto ON_EXIT;
}
- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);
+ Identifier = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_CHAP_IDENTIFIER
+ );
if (Identifier == NULL) {
goto ON_EXIT;
}
- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);
+ Challenge = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_CHAP_CHALLENGE
+ );
if (Challenge == NULL) {
goto ON_EXIT;
}
@@ -275,7 +296,11 @@ IScsiCHAPOnRspReceived (
AuthData->InIdentifier = (UINT32) Result;
AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);
+ IScsiHexToBin (
+ (UINT8 *) AuthData->InChallenge,
+ &AuthData->InChallengeLength,
+ Challenge
+ );
Status = IScsiCHAPCalculateResponse (
AuthData->InIdentifier,
AuthData->AuthConfig->CHAPSecret,
@@ -309,7 +334,10 @@ IScsiCHAPOnRspReceived (
goto ON_EXIT;
}
- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);
+ Response = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_CHAP_RESPONSE
+ );
if (Response == NULL) {
goto ON_EXIT;
}
@@ -347,7 +375,8 @@ ON_EXIT:
@param[in, out] Pdu The PDU to send out.
@retval EFI_SUCCESS All check passed and the phase-related CHAP
- authentication info is filled into the iSCSI PDU.
+ authentication info is filled into the iSCSI
+ PDU.
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
@@ -398,7 +427,11 @@ IScsiCHAPToSendReq (
// It's the initial Login Request. Fill in the key=value pairs mandatory
// for the initial Login Request.
//
- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName);
+ IScsiAddKeyValuePair (
+ Pdu,
+ ISCSI_KEY_INITIATOR_NAME,
+ mPrivate->InitiatorName
+ );
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");
IScsiAddKeyValuePair (
Pdu,
@@ -419,7 +452,8 @@ IScsiCHAPToSendReq (
case ISCSI_CHAP_STEP_ONE:
//
- // First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.
+ // First step, send the Login Request with CHAP_A=<A1,A2...> key-value
+ // pair.
//
AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);
@@ -435,11 +469,20 @@ IScsiCHAPToSendReq (
//
// CHAP_N=<N>
//
- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName);
+ IScsiAddKeyValuePair (
+ Pdu,
+ ISCSI_KEY_CHAP_NAME,
+ (CHAR8 *) &AuthData->AuthConfig->CHAPName
+ );
//
// CHAP_R=<R>
//
- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);
+ IScsiBinToHex (
+ (UINT8 *) AuthData->CHAPResponse,
+ ISCSI_CHAP_RSP_LEN,
+ Response,
+ &RspLen
+ );
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
@@ -454,7 +497,12 @@ IScsiCHAPToSendReq (
//
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);
+ IScsiBinToHex (
+ (UINT8 *) AuthData->OutChallenge,
+ ISCSI_CHAP_RSP_LEN,
+ Challenge,
+ &ChallengeLen
+ );
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
index 132461b84d25..59c53fcd3538 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
@@ -94,7 +94,8 @@ IScsiCHAPOnRspReceived (
@param[in, out] Pdu The PDU to send out.
@retval EFI_SUCCESS All check passed and the phase-related CHAP
- authentication info is filled into the iSCSI PDU.
+ authentication info is filled into the iSCSI
+ PDU.
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
--
2.31.1
From a2d7701dda539c7bfa7a65383da4232de42ddb18 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 26 Apr 2021 20:07:25 +0200
Subject: [PATCH 10/18] NetworkPkg/IScsiDxe: simplify
"ISCSI_CHAP_AUTH_DATA.InChallenge" size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024.
The usage of this macro currently involves a semantic (not functional)
bug, which we're going to fix in a subsequent patch, eliminating
ISCSI_CHAP_AUTH_MAX_LEN altogether.
For now, remove the macro's usage from all
"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without
duplicating open-coded constants.
No changes in functionality.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +-
NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index 5f045b07851c..8a44078268c7 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -295,7 +295,7 @@ IScsiCHAPOnRspReceived (
}
AuthData->InIdentifier = (UINT32) Result;
- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
IScsiHexToBin (
(UINT8 *) AuthData->InChallenge,
&AuthData->InChallengeLength,
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
index 59c53fcd3538..8692c78f1d36 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
@@ -55,7 +55,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
typedef struct _ISCSI_CHAP_AUTH_DATA {
ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
UINT32 InIdentifier;
- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
+ UINT8 InChallenge[1024];
UINT32 InChallengeLength;
//
// Calculated CHAP Response (CHAP_R) value.
--
2.31.1
From c177129419242d7576b7fddca7553933eb97043a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 26 Apr 2021 20:17:23 +0200
Subject: [PATCH 11/18] NetworkPkg/IScsiDxe: clean up
"ISCSI_CHAP_AUTH_DATA.OutChallengeLength"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array
with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge
is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used
in the array.
Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused)
ISCSI_CHAP_AUTH_MAX_LEN macro.
Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is
superfluous too.
Most importantly, explain in a new comment *why* tying the challenge size
to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also
Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge
length to the hash digest size", 2019-11-06.) For sure, the motivation
that the new comment now explains has always been there, and has always
been the same, for IScsiDxe; it's just that now we spell it out too.
No change in peer-visible behavior.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +--
NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++---
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index 8a44078268c7..320fd4c3b803 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -128,7 +128,7 @@ IScsiCHAPAuthTarget (
AuthData->AuthConfig->ReverseCHAPSecret,
SecretSize,
AuthData->OutChallenge,
- AuthData->OutChallengeLength,
+ ISCSI_CHAP_RSP_LEN, // ChallengeLength
VerifyRsp
);
@@ -496,7 +496,6 @@ IScsiCHAPToSendReq (
// CHAP_C=<C>
//
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
IScsiBinToHex (
(UINT8 *) AuthData->OutChallenge,
ISCSI_CHAP_RSP_LEN,
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
index 8692c78f1d36..06ba084c9cee 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
@@ -25,7 +25,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define ISCSI_CHAP_ALGORITHM_MD5 5
-#define ISCSI_CHAP_AUTH_MAX_LEN 1024
///
/// MD5_HASHSIZE
///
@@ -65,9 +64,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA {
//
// Auth-data to be sent out for mutual authentication.
//
+ // While the challenge size is technically independent of the hashing
+ // algorithm, it is good practice to avoid hashing *fewer bytes* than the
+ // digest size. In other words, it's good practice to feed *at least as many
+ // bytes* to the hashing algorithm as the hashing algorithm will output.
+ //
UINT32 OutIdentifier;
- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
- UINT32 OutChallengeLength;
+ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN];
} ISCSI_CHAP_AUTH_DATA;
/**
--
2.31.1
From 3e085d5bd89c33215acda5728519b337f2febad4 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 27 Apr 2021 09:49:16 +0200
Subject: [PATCH 12/18] NetworkPkg/IScsiDxe: clean up library class
dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sort the library class dependencies in the #include directives and in the
INF file. Remove the DpcLib class from the #include directives -- it is
not listed in the INF file, and IScsiDxe doesn't call either DpcLib API
(QueueDpc(), DispatchDpc()). No functional changes.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++---
NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++---------
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
index 89521209b7cf..e4dbc810b1ff 100644
--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
+++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
@@ -69,6 +69,7 @@ [Packages]
NetworkPkg/NetworkPkg.dec
[LibraryClasses]
+ BaseCryptLib
BaseLib
BaseMemoryLib
DebugLib
@@ -76,14 +77,13 @@ [LibraryClasses]
HiiLib
MemoryAllocationLib
NetLib
- TcpIoLib
PrintLib
+ TcpIoLib
UefiBootServicesTableLib
UefiDriverEntryPoint
+ UefiHiiServicesLib
UefiLib
UefiRuntimeServicesTableLib
- UefiHiiServicesLib
- BaseCryptLib
[Protocols]
gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable
diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
index 9941b8c3ea11..59c65de169a8 100644
--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
+++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
@@ -34,21 +34,20 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Protocol/ScsiPassThruExt.h>
#include <Protocol/AdapterInformation.h>
-#include <Library/HiiLib.h>
-#include <Library/UefiHiiServicesLib.h>
-#include <Library/DevicePathLib.h>
-#include <Library/DebugLib.h>
+#include <Library/BaseCryptLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/DevicePathLib.h>
+#include <Library/HiiLib.h>
#include <Library/MemoryAllocationLib.h>
+#include <Library/NetLib.h>
#include <Library/PrintLib.h>
+#include <Library/TcpIoLib.h>
#include <Library/UefiBootServicesTableLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/UefiHiiServicesLib.h>
#include <Library/UefiLib.h>
-#include <Library/DpcLib.h>
-#include <Library/NetLib.h>
-#include <Library/TcpIoLib.h>
-#include <Library/BaseCryptLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
#include <Guid/MdeModuleHii.h>
#include <Guid/EventGroup.h>
--
2.31.1
From 7a000de502435c2126ac2fa6ae450624bed2815f Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 27 Apr 2021 10:10:42 +0200
Subject: [PATCH 13/18] NetworkPkg/IScsiDxe: fix potential integer overflow in
IScsiBinToHex()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Considering IScsiBinToHex():
> if (((*HexLength) - 3) < BinLength * 2) {
> *HexLength = BinLength * 2 + 3;
> }
the following subexpressions are problematic:
(*HexLength) - 3
BinLength * 2
BinLength * 2 + 3
The first one may wrap under zero, the latter two may wrap over
MAX_UINT32.
Rewrite the calculation using SafeIntLib.
While at it, change the type of the "Index" variable from UINTN to UINT32.
The largest "Index"-based value that we calculate is
Index * 2 + 2 (with (Index == BinLength))
Because the patch makes
BinLength * 2 + 3
safe to calculate in UINT32, using UINT32 for
Index * 2 + 2 (with (Index == BinLength))
is safe too. Consistently using UINT32 improves readability.
This patch is best reviewed with "git show -W".
The integer overflows that this patch fixes are theoretical; a subsequent
patch in the series will audit the IScsiBinToHex() call sites, and show
that none of them can fail.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 +
NetworkPkg/IScsiDxe/IScsiImpl.h | 1 +
NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++----
NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
4 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
index e4dbc810b1ff..c535283731c3 100644
--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
+++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
@@ -78,6 +78,7 @@ [LibraryClasses]
MemoryAllocationLib
NetLib
PrintLib
+ SafeIntLib
TcpIoLib
UefiBootServicesTableLib
UefiDriverEntryPoint
diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
index 59c65de169a8..a45350073930 100644
--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
+++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
@@ -43,6 +43,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/MemoryAllocationLib.h>
#include <Library/NetLib.h>
#include <Library/PrintLib.h>
+#include <Library/SafeIntLib.h>
#include <Library/TcpIoLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiHiiServicesLib.h>
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index a1f2672f3709..76e6c59e2c66 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -322,6 +322,7 @@ IScsiMacAddrToStr (
@retval EFI_SUCCESS The binary data is converted to the hexadecimal string
and the length of the string is updated.
@retval EFI_BUFFER_TOO_SMALL The string is too small.
+ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
@retval EFI_INVALID_PARAMETER The IP string is malformatted.
**/
@@ -333,18 +334,28 @@ IScsiBinToHex (
IN OUT UINT32 *HexLength
)
{
- UINTN Index;
+ UINT32 HexLengthMin;
+ UINT32 HexLengthProvided;
+ UINT32 Index;
if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) {
return EFI_INVALID_PARAMETER;
}
- if (((*HexLength) - 3) < BinLength * 2) {
- *HexLength = BinLength * 2 + 3;
+ //
+ // Safely calculate: HexLengthMin := BinLength * 2 + 3.
+ //
+ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) ||
+ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) {
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ HexLengthProvided = *HexLength;
+ *HexLength = HexLengthMin;
+ if (HexLengthProvided < HexLengthMin) {
return EFI_BUFFER_TOO_SMALL;
}
- *HexLength = BinLength * 2 + 3;
//
// Prefix for Hex String.
//
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 1bcaeb8bcc81..f570a6c188a6 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -146,6 +146,7 @@ IScsiAsciiStrToIp (
@retval EFI_SUCCESS The binary data is converted to the hexadecimal string
and the length of the string is updated.
@retval EFI_BUFFER_TOO_SMALL The string is too small.
+ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
@retval EFI_INVALID_PARAMETER The IP string is malformatted.
**/
--
2.31.1
From 0f507310f8fb3ab8ff3404a2242125a9f61f0052 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 27 Apr 2021 10:26:01 +0200
Subject: [PATCH 14/18] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always
succeeds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
IScsiBinToHex() is called for encoding:
- the answer to the target's challenge; that is, CHAP_R;
- the challenge for the target, in case mutual authentication is enabled;
that is, CHAP_C.
The initiator controls the size of both blobs, the sizes of their hex
encodings are correctly calculated in "RspLen" and "ChallengeLen".
Therefore the IScsiBinToHex() calls never fail; assert that.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index 320fd4c3b803..03234b616594 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -397,6 +397,7 @@ IScsiCHAPToSendReq (
UINT32 RspLen;
CHAR8 *Challenge;
UINT32 ChallengeLen;
+ EFI_STATUS BinToHexStatus;
ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);
@@ -477,12 +478,13 @@ IScsiCHAPToSendReq (
//
// CHAP_R=<R>
//
- IScsiBinToHex (
- (UINT8 *) AuthData->CHAPResponse,
- ISCSI_CHAP_RSP_LEN,
- Response,
- &RspLen
- );
+ BinToHexStatus = IScsiBinToHex (
+ (UINT8 *) AuthData->CHAPResponse,
+ ISCSI_CHAP_RSP_LEN,
+ Response,
+ &RspLen
+ );
+ ASSERT_EFI_ERROR (BinToHexStatus);
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
@@ -496,12 +498,13 @@ IScsiCHAPToSendReq (
// CHAP_C=<C>
//
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
- IScsiBinToHex (
- (UINT8 *) AuthData->OutChallenge,
- ISCSI_CHAP_RSP_LEN,
- Challenge,
- &ChallengeLen
- );
+ BinToHexStatus = IScsiBinToHex (
+ (UINT8 *) AuthData->OutChallenge,
+ ISCSI_CHAP_RSP_LEN,
+ Challenge,
+ &ChallengeLen
+ );
+ ASSERT_EFI_ERROR (BinToHexStatus);
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
--
2.31.1
From f4b35d235953d750e751352406bab6f62dee2d6e Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 27 Apr 2021 10:37:26 +0200
Subject: [PATCH 15/18] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading
comment block
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We'll need further return values for IScsiHexToBin() in a subsequent
patch; make room for them in the leading comment block of the function.
While at it, rewrap the comment block to 80 characters width.
No functional changes.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiMisc.c | 14 +++++++-------
NetworkPkg/IScsiDxe/IScsiMisc.h | 14 +++++++-------
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index 76e6c59e2c66..446dbb15a784 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -376,14 +376,14 @@ IScsiBinToHex (
/**
Convert the hexadecimal string into a binary encoded buffer.
- @param[in, out] BinBuffer The binary buffer.
- @param[in, out] BinLength Length of the binary buffer.
- @param[in] HexStr The hexadecimal string.
-
- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
- encoded buffer.
- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
+ @param[in, out] BinBuffer The binary buffer.
+ @param[in, out] BinLength Length of the binary buffer.
+ @param[in] HexStr The hexadecimal string.
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
**/
EFI_STATUS
IScsiHexToBin (
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index f570a6c188a6..4ba439c11593 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -161,14 +161,14 @@ IScsiBinToHex (
/**
Convert the hexadecimal string into a binary encoded buffer.
- @param[in, out] BinBuffer The binary buffer.
- @param[in, out] BinLength Length of the binary buffer.
- @param[in] HexStr The hexadecimal string.
-
- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
- encoded buffer.
- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
+ @param[in, out] BinBuffer The binary buffer.
+ @param[in, out] BinLength Length of the binary buffer.
+ @param[in] HexStr The hexadecimal string.
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
**/
EFI_STATUS
IScsiHexToBin (
--
2.31.1
From c60aac15ea8bd6f72f27ae0821e2e413778dc873 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 27 Apr 2021 11:02:51 +0200
Subject: [PATCH 16/18] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The IScsiHexToBin() function has the following parser issues:
(1) If the *subject sequence* in "HexStr" is empty, the function returns
EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should
be rejected.
(2) The function mis-handles a "HexStr" that ends with a stray nibble. For
example, if "HexStr" is "0xABC", the function decodes it to the bytes
{0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns
EFI_SUCCESS. Such inputs should be rejected.
(3) If an invalid hex char is found in "HexStr", the function treats it as
end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be
rejected.
All of the above cases are remotely triggerable, as shown in a subsequent
patch, which adds error checking to the IScsiHexToBin() call sites. While
the initiator is not immediately compromised, incorrectly parsing CHAP_R
from the target, in case of mutual authentication, is not great.
Extend the interface contract of IScsiHexToBin() with
EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement
the new checks.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++--
NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index 446dbb15a784..291e3245165f 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -382,6 +382,7 @@ IScsiBinToHex (
@retval EFI_SUCCESS The hexadecimal string is converted into a
binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
converted data.
**/
@@ -408,14 +409,21 @@ IScsiHexToBin (
Length = AsciiStrLen (HexStr);
+ //
+ // Reject an empty hex string; reject a stray nibble.
+ //
+ if (Length == 0 || Length % 2 != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
for (Index = 0; Index < Length; Index ++) {
TemStr[0] = HexStr[Index];
Digit = (UINT8) AsciiStrHexToUint64 (TemStr);
if (Digit == 0 && TemStr[0] != '0') {
//
- // Invalid Lun Char.
+ // Invalid Hex Char.
//
- break;
+ return EFI_INVALID_PARAMETER;
}
if ((Index & 1) == 0) {
BinBuffer [Index/2] = Digit;
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 4ba439c11593..61cafde14810 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -167,6 +167,7 @@ IScsiBinToHex (
@retval EFI_SUCCESS The hexadecimal string is converted into a
binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
converted data.
**/
--
2.31.1
From 321c44f430d5141ab590d472efdb60321a757ded Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 27 Apr 2021 11:02:51 +0200
Subject: [PATCH 17/18] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return
condition, but never actually checks whether the decoded buffer fits into
the caller-provided room (i.e., the input value of "BinLength"), and
EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can
overflow "BinBuffer".
This is remotely exploitable, as shown in a subsequent patch, which adds
error checking to the IScsiHexToBin() call sites. This issue allows the
target to compromise the initiator.
Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent
EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow,
plus actually catch the buffer overflow.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++---
NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index 291e3245165f..1b038bc004e0 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -383,6 +383,9 @@ IScsiBinToHex (
@retval EFI_SUCCESS The hexadecimal string is converted into a
binary encoded buffer.
@retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
+ the decoded size cannot be expressed in
+ BinLength on output.
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
converted data.
**/
@@ -393,6 +396,8 @@ IScsiHexToBin (
IN CHAR8 *HexStr
)
{
+ UINTN BinLengthMin;
+ UINT32 BinLengthProvided;
UINTN Index;
UINTN Length;
UINT8 Digit;
@@ -415,6 +420,18 @@ IScsiHexToBin (
if (Length == 0 || Length % 2 != 0) {
return EFI_INVALID_PARAMETER;
}
+ //
+ // Check if the caller provides enough room for the decoded blob.
+ //
+ BinLengthMin = Length / 2;
+ if (BinLengthMin > MAX_UINT32) {
+ return EFI_BAD_BUFFER_SIZE;
+ }
+ BinLengthProvided = *BinLength;
+ *BinLength = (UINT32)BinLengthMin;
+ if (BinLengthProvided < BinLengthMin) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
for (Index = 0; Index < Length; Index ++) {
TemStr[0] = HexStr[Index];
@@ -431,9 +448,6 @@ IScsiHexToBin (
BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit);
}
}
-
- *BinLength = (UINT32) ((Index + 1)/2);
-
return EFI_SUCCESS;
}
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 61cafde14810..81d0319ba249 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -168,6 +168,9 @@ IScsiBinToHex (
@retval EFI_SUCCESS The hexadecimal string is converted into a
binary encoded buffer.
@retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
+ the decoded size cannot be expressed in
+ BinLength on output.
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
converted data.
**/
--
2.31.1
From beef894445fc32c58b5216549cd3a45f6191881b Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 27 Apr 2021 12:10:12 +0200
Subject: [PATCH 18/18] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
IScsiDxe (that is, the initiator) receives two hex-encoded strings from
the iSCSI target:
- CHAP_C, where the target challenges the initiator,
- CHAP_R, where the target answers the challenge from the initiator (in
case the initiator wants mutual authentication).
Accordingly, we have two IScsiHexToBin() call sites:
- At the CHAP_C decoding site, check whether the decoding succeeds. The
decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
which is a permissible restriction on the target, per
<https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
from the target are acceptable.
- At the CHAP_R decoding site, enforce that the decoding both succeed, and
provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
calculated by the target, therefore it must be of fixed size. We may
only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index 03234b616594..f89d256bc110 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -296,11 +296,15 @@ IScsiCHAPOnRspReceived (
AuthData->InIdentifier = (UINT32) Result;
AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
- IScsiHexToBin (
- (UINT8 *) AuthData->InChallenge,
- &AuthData->InChallengeLength,
- Challenge
- );
+ Status = IScsiHexToBin (
+ (UINT8 *) AuthData->InChallenge,
+ &AuthData->InChallengeLength,
+ Challenge
+ );
+ if (EFI_ERROR (Status)) {
+ Status = EFI_PROTOCOL_ERROR;
+ goto ON_EXIT;
+ }
Status = IScsiCHAPCalculateResponse (
AuthData->InIdentifier,
AuthData->AuthConfig->CHAPSecret,
@@ -343,7 +347,11 @@ IScsiCHAPOnRspReceived (
}
RspLen = ISCSI_CHAP_RSP_LEN;
- IScsiHexToBin (TargetRsp, &RspLen, Response);
+ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
+ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
+ Status = EFI_PROTOCOL_ERROR;
+ goto ON_EXIT;
+ }
//
// Check the CHAP Name and Response replied by Target.
--
2.31.1