commit ec066eef742f1185d06e9b0f541dfbf27d090f6e
author Andrew de los Reyes <adlr@google.com> Fri Sep 04 14:43:47 2015 -0700
committer Andrew Duggan <aduggan@synaptics.com> Thu Sep 10 11:16:24 2015 -0700
tree a3ba86289d5fae4157bca722dbe4da99fe6c4651
parent 242ea83b394b44a8eec4cc4307cd98460ea114da

HIDDevice::ParseReportSizes: check for valid descriptors

Addresses security concern:

HIDDevice::ParseReportSizes contains potential past-end-of-buffer reads
when presented with a malicious/corrupt device descriptor (++i and i +
1, i + 2 array indexes don't validate they're less than m_rptDesc.size).

rmidevice/hiddevice.cpp

diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index 6e2a890..500878b 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp
@@ -184,11 +184,15 @@
 
 			if (isReport) {
 				if (m_rptDesc.value[i] == 0x75) {
+					if (i + 1 >= m_rptDesc.size)
+						return;
 					reportSize = m_rptDesc.value[++i];
 					continue;
 				}
 
 				if (m_rptDesc.value[i] == 0x95) {
+					if (i + 1 >= m_rptDesc.size)
+						return;
 					reportCount = m_rptDesc.value[++i];
 					continue;
 				}
@@ -205,6 +209,8 @@
 			}
 		}
 
+		if (i + 2 >= m_rptDesc.size)
+			return;
 		if (m_rptDesc.value[i] == 0x06 && m_rptDesc.value[i + 1] == 0x00
 						&& m_rptDesc.value[i + 2] == 0xFF) {
 			isVendorSpecific = true;