Rémi Bernon : hidclass.sys: Return error on invalid read buffer size.
Alexandre Julliard
julliard at winehq.org
Tue Jul 6 18:09:36 CDT 2021
Module: wine
Branch: master
Commit: 5a62d0dbca08688e6b08c7209e79eb698846f22f
URL: https://source.winehq.org/git/wine.git/?a=commit;h=5a62d0dbca08688e6b08c7209e79eb698846f22f
Author: Rémi Bernon <rbernon at codeweavers.com>
Date: Tue Jul 6 11:00:52 2021 +0200
hidclass.sys: Return error on invalid read buffer size.
Signed-off-by: Rémi Bernon <rbernon at codeweavers.com>
Signed-off-by: Zebediah Figura <zfigura at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/hidclass.sys/device.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c
index 5dd4aadb899..da1814587c7 100644
--- a/dlls/hidclass.sys/device.c
+++ b/dlls/hidclass.sys/device.c
@@ -597,6 +597,7 @@ NTSTATUS WINAPI pdo_read(DEVICE_OBJECT *device, IRP *irp)
{
HID_XFER_PACKET *packet;
BASE_DEVICE_EXTENSION *ext = device->DeviceExtension;
+ const WINE_HIDP_PREPARSED_DATA *data = ext->u.pdo.preparsed_data;
UINT buffer_size = RingBuffer_GetBufferSize(ext->u.pdo.ring_buffer);
NTSTATUS rc = STATUS_SUCCESS;
IO_STACK_LOCATION *irpsp = IoGetCurrentIrpStackLocation(irp);
@@ -615,6 +616,13 @@ NTSTATUS WINAPI pdo_read(DEVICE_OBJECT *device, IRP *irp)
return STATUS_DELETE_PENDING;
}
+ if (irpsp->Parameters.Read.Length < data->caps.InputReportByteLength)
+ {
+ irp->IoStatus.Status = STATUS_INVALID_BUFFER_SIZE;
+ IoCompleteRequest( irp, IO_NO_INCREMENT );
+ return STATUS_INVALID_BUFFER_SIZE;
+ }
+
packet = malloc(buffer_size);
ptr = PtrToUlong( irp->Tail.Overlay.OriginalFileObject->FsContext );
More information about the wine-cvs
mailing list