HIDDevice::ParseReportSizes: check for valid descriptors

Addresses security concern: HIDDevice::ParseReportSizes contains potential past-end-of-buffer reads when presented with a malicious/corrupt device descriptor (++i and i + 1, i + 2 array indexes don't validate they're less than m_rptDesc.size).
author: Andrew de los Reyes <adlr@google.com> 2015-09-04 14:43:47 -0700
committer: Andrew Duggan <aduggan@synaptics.com> 2015-09-10 11:16:24 -0700
commit: ec066eef742f1185d06e9b0f541dfbf27d090f6e (patch)
tree: a3ba86289d5fae4157bca722dbe4da99fe6c4651
parent: 242ea83b394b44a8eec4cc4307cd98460ea114da (diff)
download: rmi4utils-ec066eef742f1185d06e9b0f541dfbf27d090f6e.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index 6e2a890..500878b 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp
@@ -184,11 +184,15 @@ void HIDDevice::ParseReportSizes()
 
 			if (isReport) {
 				if (m_rptDesc.value[i] == 0x75) {
+					if (i + 1 >= m_rptDesc.size)
+						return;
 					reportSize = m_rptDesc.value[++i];
 					continue;
 				}
 
 				if (m_rptDesc.value[i] == 0x95) {
+					if (i + 1 >= m_rptDesc.size)
+						return;
 					reportCount = m_rptDesc.value[++i];
 					continue;
 				}
@@ -205,6 +209,8 @@ void HIDDevice::ParseReportSizes()
 			}
 		}
 
+		if (i + 2 >= m_rptDesc.size)
+			return;
 		if (m_rptDesc.value[i] == 0x06 && m_rptDesc.value[i + 1] == 0x00
 						&& m_rptDesc.value[i + 2] == 0xFF) {
 			isVendorSpecific = true;
author	Andrew de los Reyes <adlr@google.com>	2015-09-04 14:43:47 -0700
committer	Andrew Duggan <aduggan@synaptics.com>	2015-09-10 11:16:24 -0700
commit	ec066eef742f1185d06e9b0f541dfbf27d090f6e (patch)
tree	a3ba86289d5fae4157bca722dbe4da99fe6c4651
parent	242ea83b394b44a8eec4cc4307cd98460ea114da (diff)
download	rmi4utils-ec066eef742f1185d06e9b0f541dfbf27d090f6e.tar.gz