[PATCH 6/7] hidclass.sys: Return error on invalid read buffer size.
Rémi Bernon
rbernon at codeweavers.com
Tue Jul 6 04:00:52 CDT 2021
Signed-off-by: Rémi Bernon <rbernon at codeweavers.com>
---
dlls/hidclass.sys/device.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c
index 5dd4aadb899..da1814587c7 100644
--- a/dlls/hidclass.sys/device.c
+++ b/dlls/hidclass.sys/device.c
@@ -597,6 +597,7 @@ NTSTATUS WINAPI pdo_read(DEVICE_OBJECT *device, IRP *irp)
{
HID_XFER_PACKET *packet;
BASE_DEVICE_EXTENSION *ext = device->DeviceExtension;
+ const WINE_HIDP_PREPARSED_DATA *data = ext->u.pdo.preparsed_data;
UINT buffer_size = RingBuffer_GetBufferSize(ext->u.pdo.ring_buffer);
NTSTATUS rc = STATUS_SUCCESS;
IO_STACK_LOCATION *irpsp = IoGetCurrentIrpStackLocation(irp);
@@ -615,6 +616,13 @@ NTSTATUS WINAPI pdo_read(DEVICE_OBJECT *device, IRP *irp)
return STATUS_DELETE_PENDING;
}
+ if (irpsp->Parameters.Read.Length < data->caps.InputReportByteLength)
+ {
+ irp->IoStatus.Status = STATUS_INVALID_BUFFER_SIZE;
+ IoCompleteRequest( irp, IO_NO_INCREMENT );
+ return STATUS_INVALID_BUFFER_SIZE;
+ }
+
packet = malloc(buffer_size);
ptr = PtrToUlong( irp->Tail.Overlay.OriginalFileObject->FsContext );
--
2.32.0
More information about the wine-devel
mailing list