commit | 3db45610bbb349313b976c93c80dd615a8a194f7 | [log] [tgz] |
---|---|---|
author | Andrew de los Reyes <adlr@google.com> | Fri Sep 04 14:54:34 2015 -0700 |
committer | Andrew Duggan <aduggan@synaptics.com> | Thu Sep 10 11:16:24 2015 -0700 |
tree | 82b253261225ac6eb7df2cbc3f143ba9afe693fc | |
parent | ec066eef742f1185d06e9b0f541dfbf27d090f6e [diff] |
HIDDevice::Read: Fix possible out of bounds access Addresses security concern: HIDDevice::Read contains potential past-end-of-buffer write (and read) when presented with a malicious/corrupt device report (m_readData[HID_RMI4_READ_INPUT_COUNT] is not compared against the remaining buf size. It asks nicely for no more than what would fit, but the value in m_readData is HID device controlled, but isn't checked against the actual size of the incoming buffer)