MdeModulePkg/UsbMouse: Don't access key codes when length is wrong

Per USB HID spec, the buffer holding key codes should at least 3-byte long. Today's code assumes that the key codes buffer length is longer than 3-byte and unconditionally accesses the key codes buffer. It's incorrect. The patch fixes the issue by returning Device Error when the length is less than 3-byte. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Steven Shi <steven.shi@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-09-13 16:09:10 +08:00 · 2018-09-13 16:09:10 +08:00 · 6c46cbbd5e
parent 0dd6065520
commit 6c46cbbd5e
1 changed files with 6 additions and 2 deletions
--- a/MdeModulePkg/Bus/Usb/UsbMouseDxe/UsbMouse.c
+++ b/MdeModulePkg/Bus/Usb/UsbMouseDxe/UsbMouse.c
@ -811,8 +811,6 @@ OnMouseInterruptComplete (
    return EFI_SUCCESS;
  }

-  UsbMouseDevice->StateChanged = TRUE;
-
  //
  // Check mouse Data
  // USB HID Specification specifies following data format:
@ -825,6 +823,12 @@ OnMouseInterruptComplete (
  // 2       0 to 7  Y displacement
  // 3 to n  0 to 7  Device specific (optional)
  //
+  if (DataLength < 3) {
+    return EFI_DEVICE_ERROR;
+  }
+
+  UsbMouseDevice->StateChanged = TRUE;
+
  UsbMouseDevice->State.LeftButton  = (BOOLEAN) ((*(UINT8 *) Data & BIT0) != 0);
  UsbMouseDevice->State.RightButton = (BOOLEAN) ((*(UINT8 *) Data & BIT1) != 0);
  UsbMouseDevice->State.RelativeMovementX += *((INT8 *) Data + 1);