[PATCH] hidclass.sys: Don't crash when no buffer was provided.
Rémi Bernon
rbernon at codeweavers.com
Mon Jun 7 04:11:37 CDT 2021
Signed-off-by: Rémi Bernon <rbernon at codeweavers.com>
---
This happens when reading a 0 byte report. It's probably not supposed to
be done, but I think crashing winedevice.exe in that case isn't good
either.
dlls/hidclass.sys/device.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c
index 73ea6610ab8..82366ad1888 100644
--- a/dlls/hidclass.sys/device.c
+++ b/dlls/hidclass.sys/device.c
@@ -345,6 +345,12 @@ static NTSTATUS HID_get_feature(BASE_DEVICE_EXTENSION *ext, IRP *irp)
out_buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority);
TRACE_(hid_report)("Device %p Buffer length %i Buffer %p\n", ext, irpsp->Parameters.DeviceIoControl.OutputBufferLength, out_buffer);
+ if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !out_buffer)
+ {
+ irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL;
+ return rc;
+ }
+
len = sizeof(*packet) + irpsp->Parameters.DeviceIoControl.OutputBufferLength;
packet = malloc(len);
packet->reportBufferLen = irpsp->Parameters.DeviceIoControl.OutputBufferLength;
@@ -495,6 +501,12 @@ NTSTATUS WINAPI pdo_ioctl(DEVICE_OBJECT *device, IRP *irp)
BYTE *buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority);
ULONG out_length;
+ if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !buffer)
+ {
+ irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL;
+ break;
+ }
+
packet = malloc(packet_size);
if (ext->u.pdo.preparsed_data->reports[0].reportID)
--
2.31.0
More information about the wine-devel
mailing list