hidclass.sys: Return error on invalid read buffer size.

Signed-off-by: Rémi Bernon <rbernon@codeweavers.com> Signed-off-by: Zebediah Figura <zfigura@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

hidclass.sys: Return error on invalid read buffer size.
5a62d0db · Rémi Bernon · Alexandre Julliard · d9d982df · 5a62d0db
Commit 5a62d0db authored Jul 06, 2021 by Rémi Bernon Committed by Alexandre Julliard Jul 06, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

device.c dlls/hidclass.sys/device.c +8 -0

No files found.
--- a/dlls/hidclass.sys/device.c
+++ b/dlls/hidclass.sys/device.c
@@ -597,6 +597,7 @@ NTSTATUS WINAPI pdo_read(DEVICE_OBJECT *device, IRP *irp)
 {
    HID_XFER_PACKET *packet;
    BASE_DEVICE_EXTENSION *ext = device->DeviceExtension;
+    const WINE_HIDP_PREPARSED_DATA *data = ext->u.pdo.preparsed_data;
    UINT buffer_size = RingBuffer_GetBufferSize(ext->u.pdo.ring_buffer);
    NTSTATUS rc = STATUS_SUCCESS;
    IO_STACK_LOCATION *irpsp = IoGetCurrentIrpStackLocation(irp);
@@ -615,6 +616,13 @@ NTSTATUS WINAPI pdo_read(DEVICE_OBJECT *device, IRP *irp)
        return STATUS_DELETE_PENDING;
    }

+    if (irpsp->Parameters.Read.Length < data->caps.InputReportByteLength)
+    {
+        irp->IoStatus.Status = STATUS_INVALID_BUFFER_SIZE;
+        IoCompleteRequest( irp, IO_NO_INCREMENT );
+        return STATUS_INVALID_BUFFER_SIZE;
+    }
+
    packet = malloc(buffer_size);
    ptr = PtrToUlong( irp->Tail.Overlay.OriginalFileObject->FsContext );