From bca451bf05bec8db5b212f5e1b84d9b8653fd29c Mon Sep 17 00:00:00 2001 From: Robert Fisk Date: Tue, 3 May 2016 23:36:57 +1200 Subject: [PATCH] Improve HID parser error checking --- Downstream/Src/downstream_hid.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/Downstream/Src/downstream_hid.c b/Downstream/Src/downstream_hid.c index e9cff89..483f861 100644 --- a/Downstream/Src/downstream_hid.c +++ b/Downstream/Src/downstream_hid.c @@ -180,25 +180,33 @@ HAL_StatusTypeDef Downstream_HID_Mouse_ParseReportDescriptor(void) { ReportXBitOffset = currentReportBitIndex + (currentReportSize * xUsageIndex); ReportXBitLength = currentReportSize; + if ((ReportXBitOffset + ReportXBitLength) > (HID_MAX_REPORT_LEN * 8)) + { + return HAL_ERROR; + } } if (yUsageIndex != 0xFF) { ReportYBitOffset = currentReportBitIndex + (currentReportSize * yUsageIndex); ReportYBitLength = currentReportSize; + if ((ReportYBitOffset + ReportYBitLength) > (HID_MAX_REPORT_LEN * 8)) + { + return HAL_ERROR; + } } if (wheelUsageIndex != 0xFF) { ReportWheelBitOffset = currentReportBitIndex + (currentReportSize * wheelUsageIndex); ReportWheelBitLength = currentReportSize; + if ((ReportWheelBitOffset + ReportWheelBitLength) > (HID_MAX_REPORT_LEN * 8)) + { + return HAL_ERROR; + } } } break; } currentReportBitIndex += (currentReportSize * currentReportCount); - if (currentReportBitIndex >= (HID_MAX_REPORT_LEN * 8)) - { - return HAL_ERROR; - } break; } }