[PATCH] hidclass.sys: Don't crash when no buffer was provided.

Rémi Bernon rbernon at codeweavers.com
Mon Jun 7 04:11:37 CDT 2021


Signed-off-by: Rémi Bernon <rbernon at codeweavers.com>
---

This happens when reading a 0 byte report. It's probably not supposed to
be done, but I think crashing winedevice.exe in that case isn't good
either.

 dlls/hidclass.sys/device.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c
index 73ea6610ab8..82366ad1888 100644
--- a/dlls/hidclass.sys/device.c
+++ b/dlls/hidclass.sys/device.c
@@ -345,6 +345,12 @@ static NTSTATUS HID_get_feature(BASE_DEVICE_EXTENSION *ext, IRP *irp)
     out_buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority);
     TRACE_(hid_report)("Device %p Buffer length %i Buffer %p\n", ext, irpsp->Parameters.DeviceIoControl.OutputBufferLength, out_buffer);
 
+    if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !out_buffer)
+    {
+        irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL;
+        return rc;
+    }
+
     len = sizeof(*packet) + irpsp->Parameters.DeviceIoControl.OutputBufferLength;
     packet = malloc(len);
     packet->reportBufferLen = irpsp->Parameters.DeviceIoControl.OutputBufferLength;
@@ -495,6 +501,12 @@ NTSTATUS WINAPI pdo_ioctl(DEVICE_OBJECT *device, IRP *irp)
             BYTE *buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority);
             ULONG out_length;
 
+            if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !buffer)
+            {
+                irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL;
+                break;
+            }
+
             packet = malloc(packet_size);
 
             if (ext->u.pdo.preparsed_data->reports[0].reportID)
-- 
2.31.0




More information about the wine-devel mailing list