diff options
author | Andrew de los Reyes <adlr@google.com> | 2015-09-04 14:54:34 -0700 |
---|---|---|
committer | Andrew Duggan <aduggan@synaptics.com> | 2015-09-10 11:16:24 -0700 |
commit | 3db45610bbb349313b976c93c80dd615a8a194f7 (patch) | |
tree | 82b253261225ac6eb7df2cbc3f143ba9afe693fc | |
parent | ec066eef742f1185d06e9b0f541dfbf27d090f6e (diff) | |
download | rmi4utils-3db45610bbb349313b976c93c80dd615a8a194f7.tar.gz |
HIDDevice::Read: Fix possible out of bounds access
Addresses security concern:
HIDDevice::Read contains potential past-end-of-buffer write (and
read) when presented with a malicious/corrupt device report
(m_readData[HID_RMI4_READ_INPUT_COUNT] is not compared against the
remaining buf size. It asks nicely for no more than what would fit, but
the value in m_readData is HID device controlled, but isn't checked
against the actual size of the incoming buffer)
-rw-r--r-- | rmidevice/hiddevice.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp index 500878b..b6deaec 100644 --- a/rmidevice/hiddevice.cpp +++ b/rmidevice/hiddevice.cpp @@ -280,6 +280,9 @@ int HIDDevice::Read(unsigned short addr, unsigned char *buf, unsigned short len) HID_RMI4_READ_INPUT_DATA)) return -1; bytesInDataReport = m_readData[HID_RMI4_READ_INPUT_COUNT]; + if (bytesInDataReport > + m_inputReportSize - HID_RMI4_READ_INPUT_DATA) + return -1; memcpy(buf + bytesReadPerRequest, &m_readData[HID_RMI4_READ_INPUT_DATA], bytesInDataReport); bytesReadPerRequest += bytesInDataReport; |