commit | 242ea83b394b44a8eec4cc4307cd98460ea114da | [log] [tgz] |
---|---|---|
author | Andrew de los Reyes <adlr@google.com> | Fri Sep 04 14:40:06 2015 -0700 |
committer | Andrew Duggan <aduggan@synaptics.com> | Thu Sep 10 11:16:24 2015 -0700 |
tree | 1a5d5fa8d3254b873604dd700cbee901df421e2e | |
parent | 074c44877931621f32459e80e105e10a9119bcc8 [diff] |
validate m_*Report lengths Addresses Security concerns: HIDDevice::Open does not validate minimum sizes for m_*ReportSize, which could lead to past-end-of-buffer writes when using m_*Report arrays. HIDDevice::GetAttentionReport does not correctly validate the size of the m_attnData buffer vs the buf len. This is a past-end-of-buffer read condition. I don't understand the point of reading bytes-many bytes but returning *len set to the valid size of bytes in the buffer.