HIDDevice::Read: Fix possible out of bounds access

Addresses security concern: HIDDevice::Read contains potential past-end-of-buffer write (and read) when presented with a malicious/corrupt device report (m_readData[HID_RMI4_READ_INPUT_COUNT] is not compared against the remaining buf size. It asks nicely for no more than what would fit, but the value in m_readData is HID device controlled, but isn't checked against the actual size of the incoming buffer)
author: Andrew de los Reyes <adlr@google.com> 2015-09-04 14:54:34 -0700
committer: Andrew Duggan <aduggan@synaptics.com> 2015-09-10 11:16:24 -0700
commit: 3db45610bbb349313b976c93c80dd615a8a194f7 (patch)
tree: 82b253261225ac6eb7df2cbc3f143ba9afe693fc
parent: ec066eef742f1185d06e9b0f541dfbf27d090f6e (diff)
download: rmi4utils-3db45610bbb349313b976c93c80dd615a8a194f7.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index 500878b..b6deaec 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp
@@ -280,6 +280,9 @@ int HIDDevice::Read(unsigned short addr, unsigned char *buf, unsigned short len)
 					     HID_RMI4_READ_INPUT_DATA))
 					return -1;
 				bytesInDataReport = m_readData[HID_RMI4_READ_INPUT_COUNT];
+				if (bytesInDataReport >
+				    m_inputReportSize - HID_RMI4_READ_INPUT_DATA)
+					return -1;
 				memcpy(buf + bytesReadPerRequest, &m_readData[HID_RMI4_READ_INPUT_DATA],
 					bytesInDataReport);
 				bytesReadPerRequest += bytesInDataReport;
author	Andrew de los Reyes <adlr@google.com>	2015-09-04 14:54:34 -0700
committer	Andrew Duggan <aduggan@synaptics.com>	2015-09-10 11:16:24 -0700
commit	3db45610bbb349313b976c93c80dd615a8a194f7 (patch)
tree	82b253261225ac6eb7df2cbc3f143ba9afe693fc
parent	ec066eef742f1185d06e9b0f541dfbf27d090f6e (diff)
download	rmi4utils-3db45610bbb349313b976c93c80dd615a8a194f7.tar.gz