diff options
author | Dean Camera <dean@fourwalledcubicle.com> | 2013-08-19 20:20:44 +0200 |
---|---|---|
committer | Dean Camera <dean@fourwalledcubicle.com> | 2013-08-19 20:20:44 +0200 |
commit | 179e18cf585ed5fa2bf9fca739b45e065dbe0120 (patch) | |
tree | a3a286baba3ceb2640fde88f390b589e092c275c /LUFA | |
parent | cba09e323d00bb6c17da133e7a6e5a233f02c42e (diff) | |
download | lufa-179e18cf585ed5fa2bf9fca739b45e065dbe0120.tar.gz lufa-179e18cf585ed5fa2bf9fca739b45e065dbe0120.tar.bz2 lufa-179e18cf585ed5fa2bf9fca739b45e065dbe0120.zip |
Prevent accessing past the UsageList bounds in the HID parser when dequeueing a usage.
Diffstat (limited to 'LUFA')
-rw-r--r-- | LUFA/Drivers/USB/Class/Common/HIDParser.c | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/LUFA/Drivers/USB/Class/Common/HIDParser.c b/LUFA/Drivers/USB/Class/Common/HIDParser.c index af537ef50..b58c17eab 100644 --- a/LUFA/Drivers/USB/Class/Common/HIDParser.c +++ b/LUFA/Drivers/USB/Class/Common/HIDParser.c @@ -96,42 +96,53 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, CurrStateTable++; break; + case HID_RI_POP(0): if (CurrStateTable == &StateTable[0]) return HID_PARSE_HIDStackUnderflow; CurrStateTable--; break; + case HID_RI_USAGE_PAGE(0): if ((HIDReportItem & HID_RI_DATA_SIZE_MASK) == HID_RI_DATA_BITS_32) CurrStateTable->Attributes.Usage.Page = (ReportItemData >> 16); CurrStateTable->Attributes.Usage.Page = ReportItemData; break; + case HID_RI_LOGICAL_MINIMUM(0): CurrStateTable->Attributes.Logical.Minimum = ReportItemData; break; + case HID_RI_LOGICAL_MAXIMUM(0): CurrStateTable->Attributes.Logical.Maximum = ReportItemData; break; + case HID_RI_PHYSICAL_MINIMUM(0): CurrStateTable->Attributes.Physical.Minimum = ReportItemData; break; + case HID_RI_PHYSICAL_MAXIMUM(0): CurrStateTable->Attributes.Physical.Maximum = ReportItemData; break; + case HID_RI_UNIT_EXPONENT(0): CurrStateTable->Attributes.Unit.Exponent = ReportItemData; break; + case HID_RI_UNIT(0): CurrStateTable->Attributes.Unit.Type = ReportItemData; break; + case HID_RI_REPORT_SIZE(0): CurrStateTable->Attributes.BitSize = ReportItemData; break; + case HID_RI_REPORT_COUNT(0): CurrStateTable->ReportCount = ReportItemData; break; + case HID_RI_REPORT_ID(0): CurrStateTable->ReportID = ReportItemData; @@ -162,18 +173,22 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, CurrReportIDInfo->ReportID = CurrStateTable->ReportID; break; + case HID_RI_USAGE(0): if (UsageListSize == HID_USAGE_STACK_DEPTH) return HID_PARSE_UsageListOverflow; UsageList[UsageListSize++] = ReportItemData; break; + case HID_RI_USAGE_MINIMUM(0): UsageMinMax.Minimum = ReportItemData; break; + case HID_RI_USAGE_MAXIMUM(0): UsageMinMax.Maximum = ReportItemData; break; + case HID_RI_COLLECTION(0): if (CurrCollectionPath == NULL) { @@ -203,8 +218,8 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, { CurrCollectionPath->Usage.Usage = UsageList[0]; - for (uint8_t i = 0; i < UsageListSize; i++) - UsageList[i] = UsageList[i + 1]; + for (uint8_t i = 1; i < UsageListSize; i++) + UsageList[i - 1] = UsageList[i]; UsageListSize--; } @@ -214,12 +229,14 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, } break; + case HID_RI_END_COLLECTION(0): if (CurrCollectionPath == NULL) return HID_PARSE_UnexpectedEndCollection; CurrCollectionPath = CurrCollectionPath->Parent; break; + case HID_RI_INPUT(0): case HID_RI_OUTPUT(0): case HID_RI_FEATURE(0): @@ -239,8 +256,8 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, { NewReportItem.Attributes.Usage.Usage = UsageList[0]; - for (uint8_t i = 0; i < UsageListSize; i++) - UsageList[i] = UsageList[i + 1]; + for (uint8_t i = 1; i < UsageListSize; i++) + UsageList[i - 1] = UsageList[i]; UsageListSize--; } @@ -275,7 +292,7 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, } break; - + default: break; } |