From 2cff8743ced9c2f79014a19077e91537fb938bb8 Mon Sep 17 00:00:00 2001
From: PaddyDeng <v-paddydeng@microsoft.com>
Date: Mon, 7 Apr 2025 09:48:50 +0800
Subject: [PATCH] MdeModulePkg/Spi: Solving potential null ptr deref. in
 SpiNorFlashJedecSfdp

The pointer `Instance->SfdpBasicFlash` can be used before initializing.

Example code flow:
- CreateSpiNorFlashSfdpInstance: Allocate pool for `Instance`
    - InitialSpiNorFlashSfdpInstance
        - ReadSfdp
            - ReadSfdpHeader
                - FillWriteBuffer: Dereferencing
`Instance->SfdpBasicFlash`
            - ReadSfdpBasicParameterTable: Allocate pool for
`Instance->SfdpBasicFlash`

Check both `Instance` and `Instance->SfdpBasicFlash` should have
a non null value before dereferencing it. Otherwise use the defaut
value 0.

Also terminate the function if `Instance` or `WriteBuffer` is NULL.

Signed-off-by: Paddy Deng <v-paddydeng@microsoft.com>
---
 .../Bus/Spi/SpiNorFlashJedecSfdp/SpiNorFlash.c       | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Bus/Spi/SpiNorFlashJedecSfdp/SpiNorFlash.c b/MdeModulePkg/Bus/Spi/SpiNorFlashJedecSfdp/SpiNorFlash.c
index 3ac5420fbf..58f7704a2d 100644
--- a/MdeModulePkg/Bus/Spi/SpiNorFlashJedecSfdp/SpiNorFlash.c
+++ b/MdeModulePkg/Bus/Spi/SpiNorFlashJedecSfdp/SpiNorFlash.c
@@ -48,7 +48,17 @@ FillWriteBuffer (
   UINT32  Index;
   UINT8   SfdpAddressBytes;
 
-  SfdpAddressBytes = (UINT8)Instance->SfdpBasicFlash->AddressBytes;
+  if ((Instance == NULL) || (WriteBuffer == NULL)) {
+    ASSERT (Instance != NULL);
+    ASSERT (WriteBuffer != NULL);
+    return 0;
+  }
+
+  if (Instance->SfdpBasicFlash == NULL) {
+    SfdpAddressBytes = 0;
+  } else {
+    SfdpAddressBytes = (UINT8)Instance->SfdpBasicFlash->AddressBytes;
+  }
 
   // Copy Opcode into Write Buffer
   Instance->SpiTransactionWriteBuffer[0] = Opcode;