diff options
| author | Andrew Duggan <aduggan@synaptics.com> | 2015-09-10 13:13:08 -0700 |
|---|---|---|
| committer | Andrew Duggan <aduggan@synaptics.com> | 2015-09-10 15:33:05 -0700 |
| commit | edeea832d7c06b13e6e35067832dab289a8039a0 (patch) | |
| tree | cf94c43a438510faa33ef9066d145ad7424915a0 | |
| parent | 0e21a041af44993cf124c4cd5553bcb9959fce56 (diff) | |
| download | rmi4utils-edeea832d7c06b13e6e35067832dab289a8039a0.tar.gz | |
HIDDevice::Read: Check that the bytes reported by the report match what we expect
Make sure that the bytes in the report do no exceed the bytes which were
requested or that the bytes exceed the bytes remaining in the buffer.
| -rw-r--r-- | rmidevice/hiddevice.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp index f6ccd58..6a3c3fb 100644 --- a/rmidevice/hiddevice.cpp +++ b/rmidevice/hiddevice.cpp @@ -280,8 +280,8 @@ int HIDDevice::Read(unsigned short addr, unsigned char *buf, unsigned short len) HID_RMI4_READ_INPUT_DATA)) return -1; bytesInDataReport = m_readData[HID_RMI4_READ_INPUT_COUNT]; - if (bytesInDataReport > - m_inputReportSize - HID_RMI4_READ_INPUT_DATA) + if (bytesInDataReport > bytesToRequest + || bytesReadPerRequest + bytesInDataReport > len) return -1; memcpy(buf + bytesReadPerRequest, &m_readData[HID_RMI4_READ_INPUT_DATA], bytesInDataReport); |