Rémi Bernon : winebus.sys: Initialize last_report length and buffer.

Mon Nov 22 16:05:17 CST 2021

Module: wine
Branch: master
Commit: 6d3b3aab25cfd1afc2909a4d65a76088fba02ea8
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=6d3b3aab25cfd1afc2909a4d65a76088fba02ea8

Author: Rémi Bernon <rbernon at codeweavers.com>
Date:   Mon Nov 22 11:05:43 2021 +0100

winebus.sys: Initialize last_report length and buffer.

Fixes a regression from e9c3c494fd2f388acd046c95ac6b121c0830bb46 where
although we use the last report length, it was only initialized after
the first corresponding report was received. Calling HidD_GetInputReport
before that could cause a buffer overlow and report invalid data.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52068
Signed-off-by: Rémi Bernon <rbernon at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/winebus.sys/main.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/dlls/winebus.sys/main.c b/dlls/winebus.sys/main.c
index d805f887a6f..111953c3bae 100644
--- a/dlls/winebus.sys/main.c
+++ b/dlls/winebus.sys/main.c
@@ -444,8 +444,6 @@ static void process_hid_report(DEVICE_OBJECT *device, BYTE *report_buf, DWORD re
 
     if (!ext->collection_desc.ReportIDs[0].ReportID) last_report = ext->last_reports[0];
     else last_report = ext->last_reports[report_buf[0]];
-
-    last_report->length = report_len;
     memcpy(last_report->buffer, report_buf, report_len);
 
     if ((irp = pop_pending_read(ext)))
@@ -861,7 +859,13 @@ static NTSTATUS pdo_pnp_dispatch(DEVICE_OBJECT *device, IRP *irp)
                     {
                         if (!(size = reports[i].InputLength)) continue;
                         size = offsetof( struct hid_report, buffer[size] );
-                        if (!(ext->last_reports[reports[i].ReportID] = RtlAllocateHeap(GetProcessHeap(), 0, size))) status = STATUS_NO_MEMORY;
+                        if (!(report = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, size))) status = STATUS_NO_MEMORY;
+                        else
+                        {
+                            report->length = reports[i].InputLength;
+                            report->buffer[0] = reports[i].ReportID;
+                            ext->last_reports[reports[i].ReportID] = report;
+                        }
                     }
                     if (!status) ext->state = DEVICE_STATE_STARTED;
                 }


