HIDDevice::Read: Check that the bytes reported by the report match what we expect

Make sure that the bytes in the report do no exceed the bytes which were requested or that the bytes exceed the bytes remaining in the buffer.
author: Andrew Duggan <aduggan@synaptics.com> 2015-09-10 13:13:08 -0700
committer: Andrew Duggan <aduggan@synaptics.com> 2015-09-10 15:33:05 -0700
commit: edeea832d7c06b13e6e35067832dab289a8039a0 (patch)
tree: cf94c43a438510faa33ef9066d145ad7424915a0 /rmidevice/hiddevice.cpp
parent: 0e21a041af44993cf124c4cd5553bcb9959fce56 (diff)
download: rmi4utils-edeea832d7c06b13e6e35067832dab289a8039a0.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index f6ccd58..6a3c3fb 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp
@@ -280,8 +280,8 @@ int HIDDevice::Read(unsigned short addr, unsigned char *buf, unsigned short len)
 					     HID_RMI4_READ_INPUT_DATA))
 					return -1;
 				bytesInDataReport = m_readData[HID_RMI4_READ_INPUT_COUNT];
-				if (bytesInDataReport >
-				    m_inputReportSize - HID_RMI4_READ_INPUT_DATA)
+				if (bytesInDataReport > bytesToRequest
+				    || bytesReadPerRequest + bytesInDataReport > len)
 					return -1;
 				memcpy(buf + bytesReadPerRequest, &m_readData[HID_RMI4_READ_INPUT_DATA],
 					bytesInDataReport);
author	Andrew Duggan <aduggan@synaptics.com>	2015-09-10 13:13:08 -0700
committer	Andrew Duggan <aduggan@synaptics.com>	2015-09-10 15:33:05 -0700
commit	edeea832d7c06b13e6e35067832dab289a8039a0 (patch)
tree	cf94c43a438510faa33ef9066d145ad7424915a0 /rmidevice/hiddevice.cpp
parent	0e21a041af44993cf124c4cd5553bcb9959fce56 (diff)
download	rmi4utils-edeea832d7c06b13e6e35067832dab289a8039a0.tar.gz