[PATCH] hidclass.sys: fixed size passed IOCTL_HID_GET_INPUT_REPORT (Coverity)
Sebastian Lackner
sebastian at fds-team.de
Sat Oct 17 08:31:24 CDT 2015
On 17.10.2015 14:52, Marcus Meissner wrote:
> 1327477 Wrong sizeof argument
>
> Signed-off-by: Marcus Meissner <marcus at jet.franken.de>
> ---
> dlls/hidclass.sys/device.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c
> index e7e7e11..dcc7d3c 100644
> --- a/dlls/hidclass.sys/device.c
> +++ b/dlls/hidclass.sys/device.c
> @@ -277,7 +277,7 @@ static DWORD CALLBACK hid_device_thread(void *args)
> packet->reportId = 0;
>
> irp = IoBuildDeviceIoControlRequest(IOCTL_HID_GET_INPUT_REPORT,
> - device, NULL, 0, packet, sizeof(packet), TRUE, events[0],
> + device, NULL, 0, packet, sizeof(*packet)+ext->preparseData->caps.InputReportByteLength, TRUE, events[0],
> &irp_status);
>
> irpsp = IoGetNextIrpStackLocation(irp);
>
This looks wrong, you have to allocate a separate buffer, and then copy it (like in the code below).
I don't know why some of these buffers are HEAP_ZERO_MEMORY though, and others not? Adding Aric, he
might want to review this part again, especially since Coverity detected more issues in this code
(unnecessary assignment of "rc" for example).
More information about the wine-devel
mailing list