diff options
| author | Ruiyu Ni <ruiyu.ni@intel.com> | 2018-09-13 16:06:52 +0800 |
|---|---|---|
| committer | Ruiyu Ni <ruiyu.ni@intel.com> | 2018-10-17 11:04:02 +0800 |
| commit | 0dd6065520742f62678db9dd6728f22b2abd68e2 (patch) | |
| tree | 63840b20aacc842c444fe9408e85c6abb0437037 /MdeModulePkg/Bus/Usb | |
| parent | 8bcbe587e794aaaa6506b647732316ce5ba40168 (diff) | |
| download | edk2-0dd6065520742f62678db9dd6728f22b2abd68e2.tar.gz edk2-0dd6065520742f62678db9dd6728f22b2abd68e2.tar.bz2 edk2-0dd6065520742f62678db9dd6728f22b2abd68e2.zip | |
MdeModulePkg/AbsPointer: Don't access key codes when length is wrong
Per USB HID spec, the buffer holding key codes should at least 3-byte
long.
Today's code assumes that the key codes buffer length is longer than
3-byte and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 3-byte.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Diffstat (limited to 'MdeModulePkg/Bus/Usb')
| -rw-r--r-- | MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c b/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c index 965195ca34..42b9147ad8 100644 --- a/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c +++ b/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c @@ -813,8 +813,6 @@ OnMouseInterruptComplete ( return EFI_SUCCESS;
}
- UsbMouseAbsolutePointerDevice->StateChanged = TRUE;
-
//
// Check mouse Data
// USB HID Specification specifies following data format:
@@ -827,6 +825,12 @@ OnMouseInterruptComplete ( // 2 0 to 7 Y displacement
// 3 to n 0 to 7 Device specific (optional)
//
+ if (DataLength < 3) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ UsbMouseAbsolutePointerDevice->StateChanged = TRUE;
+
UsbMouseAbsolutePointerDevice->State.ActiveButtons = *(UINT8 *) Data & (BIT0 | BIT1 | BIT2);
UsbMouseAbsolutePointerDevice->State.CurrentX =
|