Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / rmi4utils / 242ea83b394b44a8eec4cc4307cd98460ea114da
commit242ea83b394b44a8eec4cc4307cd98460ea114da[log] [tgz]
authorAndrew de los Reyes <adlr@google.com>Fri Sep 04 14:40:06 2015 -0700
committerAndrew Duggan <aduggan@synaptics.com>Thu Sep 10 11:16:24 2015 -0700
tree1a5d5fa8d3254b873604dd700cbee901df421e2e
parent074c44877931621f32459e80e105e10a9119bcc8 [diff]
validate m_*Report lengths

Addresses Security concerns:

HIDDevice::Open does not validate minimum sizes for m_*ReportSize, which
could lead to past-end-of-buffer writes when using m_*Report arrays.

HIDDevice::GetAttentionReport does not correctly validate the size of
the m_attnData buffer vs the buf len. This is a past-end-of-buffer read
condition. I don't understand the point of reading bytes-many bytes but
returning *len set to the valid size of bytes in the buffer.
2 files changed
tree: 1a5d5fa8d3254b873604dd700cbee901df421e2e
  1. f54test/
  2. rmi4update/
  3. rmidevice/
  4. rmihidtool/
  5. Android.mk
  6. Application.mk
  7. LICENSE
  8. Makefile
  9. README