HIDDevice::ParseReportSizes: check for valid descriptors
Addresses security concern:
HIDDevice::ParseReportSizes contains potential past-end-of-buffer reads
when presented with a malicious/corrupt device descriptor (++i and i +
1, i + 2 array indexes don't validate they're less than m_rptDesc.size).
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index 6e2a890..500878b 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp
@@ -184,11 +184,15 @@
if (isReport) {
if (m_rptDesc.value[i] == 0x75) {
+ if (i + 1 >= m_rptDesc.size)
+ return;
reportSize = m_rptDesc.value[++i];
continue;
}
if (m_rptDesc.value[i] == 0x95) {
+ if (i + 1 >= m_rptDesc.size)
+ return;
reportCount = m_rptDesc.value[++i];
continue;
}
@@ -205,6 +209,8 @@
}
}
+ if (i + 2 >= m_rptDesc.size)
+ return;
if (m_rptDesc.value[i] == 0x06 && m_rptDesc.value[i + 1] == 0x00
&& m_rptDesc.value[i + 2] == 0xFF) {
isVendorSpecific = true;