From 6d3b3aab25cfd1afc2909a4d65a76088fba02ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Bernon?= Date: Mon, 22 Nov 2021 11:05:43 +0100 Subject: [PATCH] winebus.sys: Initialize last_report length and buffer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes a regression from e9c3c494fd2f388acd046c95ac6b121c0830bb46 where although we use the last report length, it was only initialized after the first corresponding report was received. Calling HidD_GetInputReport before that could cause a buffer overlow and report invalid data. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52068 Signed-off-by: RĂ©mi Bernon Signed-off-by: Alexandre Julliard --- dlls/winebus.sys/main.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/dlls/winebus.sys/main.c b/dlls/winebus.sys/main.c index d805f887a6f..111953c3bae 100644 --- a/dlls/winebus.sys/main.c +++ b/dlls/winebus.sys/main.c @@ -444,8 +444,6 @@ static void process_hid_report(DEVICE_OBJECT *device, BYTE *report_buf, DWORD re if (!ext->collection_desc.ReportIDs[0].ReportID) last_report = ext->last_reports[0]; else last_report = ext->last_reports[report_buf[0]]; - - last_report->length = report_len; memcpy(last_report->buffer, report_buf, report_len); if ((irp = pop_pending_read(ext))) @@ -861,7 +859,13 @@ static NTSTATUS pdo_pnp_dispatch(DEVICE_OBJECT *device, IRP *irp) { if (!(size = reports[i].InputLength)) continue; size = offsetof( struct hid_report, buffer[size] ); - if (!(ext->last_reports[reports[i].ReportID] = RtlAllocateHeap(GetProcessHeap(), 0, size))) status = STATUS_NO_MEMORY; + if (!(report = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, size))) status = STATUS_NO_MEMORY; + else + { + report->length = reports[i].InputLength; + report->buffer[0] = reports[i].ReportID; + ext->last_reports[reports[i].ReportID] = report; + } } if (!status) ext->state = DEVICE_STATE_STARTED; }