diff options
author | Andrew de los Reyes <adlr@google.com> | 2015-09-04 14:43:47 -0700 |
---|---|---|
committer | Andrew Duggan <aduggan@synaptics.com> | 2015-09-10 11:16:24 -0700 |
commit | ec066eef742f1185d06e9b0f541dfbf27d090f6e (patch) | |
tree | a3ba86289d5fae4157bca722dbe4da99fe6c4651 | |
parent | 242ea83b394b44a8eec4cc4307cd98460ea114da (diff) | |
download | rmi4utils-ec066eef742f1185d06e9b0f541dfbf27d090f6e.tar.gz |
HIDDevice::ParseReportSizes: check for valid descriptors
Addresses security concern:
HIDDevice::ParseReportSizes contains potential past-end-of-buffer reads
when presented with a malicious/corrupt device descriptor (++i and i +
1, i + 2 array indexes don't validate they're less than m_rptDesc.size).
-rw-r--r-- | rmidevice/hiddevice.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp index 6e2a890..500878b 100644 --- a/rmidevice/hiddevice.cpp +++ b/rmidevice/hiddevice.cpp @@ -184,11 +184,15 @@ void HIDDevice::ParseReportSizes() if (isReport) { if (m_rptDesc.value[i] == 0x75) { + if (i + 1 >= m_rptDesc.size) + return; reportSize = m_rptDesc.value[++i]; continue; } if (m_rptDesc.value[i] == 0x95) { + if (i + 1 >= m_rptDesc.size) + return; reportCount = m_rptDesc.value[++i]; continue; } @@ -205,6 +209,8 @@ void HIDDevice::ParseReportSizes() } } + if (i + 2 >= m_rptDesc.size) + return; if (m_rptDesc.value[i] == 0x06 && m_rptDesc.value[i + 1] == 0x00 && m_rptDesc.value[i + 2] == 0xFF) { isVendorSpecific = true; |