From b30b82e27b43da6d068c00483753ac5da364f4fb Mon Sep 17 00:00:00 2001 From: Robert Fisk Date: Tue, 3 May 2016 23:36:57 +1200 Subject: [PATCH] Improve HID parser error checking --- Downstream/Src/downstream_hid.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/Downstream/Src/downstream_hid.c b/Downstream/Src/downstream_hid.c index 31e174b..cc20ec0 100644 --- a/Downstream/Src/downstream_hid.c +++ b/Downstream/Src/downstream_hid.c @@ -182,16 +182,28 @@ HAL_StatusTypeDef Downstream_HID_Mouse_ParseReportDescriptor(void) { ReportXBitOffset = currentReportBitIndex + (currentReportSize * xUsageIndex); ReportXBitLength = currentReportSize; + if ((ReportXBitOffset + ReportXBitLength) > (HID_MAX_REPORT_LEN * 8)) + { + return HAL_ERROR; + } } if (yUsageIndex != 0xFF) { ReportYBitOffset = currentReportBitIndex + (currentReportSize * yUsageIndex); ReportYBitLength = currentReportSize; + if ((ReportYBitOffset + ReportYBitLength) > (HID_MAX_REPORT_LEN * 8)) + { + return HAL_ERROR; + } } if (wheelUsageIndex != 0xFF) { ReportWheelBitOffset = currentReportBitIndex + (currentReportSize * wheelUsageIndex); ReportWheelBitLength = currentReportSize; + if ((ReportWheelBitOffset + ReportWheelBitLength) > (HID_MAX_REPORT_LEN * 8)) + { + return HAL_ERROR; + } } } break; @@ -201,10 +213,6 @@ HAL_StatusTypeDef Downstream_HID_Mouse_ParseReportDescriptor(void) yUsageIndex = 0xFF; wheelUsageIndex = 0xFF; currentReportBitIndex += (currentReportSize * currentReportCount); - if (currentReportBitIndex >= (HID_MAX_REPORT_LEN * 8)) - { - return HAL_ERROR; - } break; } }