tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MdeModulePkg/AbsPointer: Don't access key codes when length is wrong 

Per USB HID spec, the buffer holding key codes should at least 3-byte
long.
Today's code assumes that the key codes buffer length is longer than
3-byte and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 3-byte.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
This commit is contained in:
Ruiyu Ni 2018-09-13 16:06:52 +08:00
parent 8bcbe587e7
commit 0dd6065520
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c
View File

@ -813,8 +813,6 @@ OnMouseInterruptComplete (
return EFI_SUCCESS; return EFI_SUCCESS;
} }
UsbMouseAbsolutePointerDevice->StateChanged = TRUE;
// //
// Check mouse Data // Check mouse Data
// USB HID Specification specifies following data format: // USB HID Specification specifies following data format:
@ -827,6 +825,12 @@ OnMouseInterruptComplete (
// 2 0 to 7 Y displacement // 2 0 to 7 Y displacement
// 3 to n 0 to 7 Device specific (optional) // 3 to n 0 to 7 Device specific (optional)
// //
if (DataLength < 3) {
return EFI_DEVICE_ERROR;
}
UsbMouseAbsolutePointerDevice->StateChanged = TRUE;
UsbMouseAbsolutePointerDevice->State.ActiveButtons = *(UINT8 *) Data & (BIT0 | BIT1 | BIT2); UsbMouseAbsolutePointerDevice->State.ActiveButtons = *(UINT8 *) Data & (BIT0 | BIT1 | BIT2);
UsbMouseAbsolutePointerDevice->State.CurrentX = UsbMouseAbsolutePointerDevice->State.CurrentX =