[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll()
|
From: |
Alexander Bulekov |
|
Subject: |
Re: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll() |
|
Date: |
Wed, 29 Mar 2023 05:42:53 -0400 |
On 230213 1841, Mauro Matteo Cascella wrote:
> The guest can control the size of buf; an OOB write occurs when buf is 1 or 2
> bytes long. Only fill in the buffer as long as there is enough space, throw
> away any data which doesn't fit.
>
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Thanks
> ---
> hw/usb/dev-wacom.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
> index 7177c17f03..ca9e6aa82f 100644
> --- a/hw/usb/dev-wacom.c
> +++ b/hw/usb/dev-wacom.c
> @@ -252,14 +252,20 @@ static int usb_mouse_poll(USBWacomState *s, uint8_t
> *buf, int len)
> if (s->buttons_state & MOUSE_EVENT_MBUTTON)
> b |= 0x04;
>
> - buf[0] = b;
> - buf[1] = dx;
> - buf[2] = dy;
> - l = 3;
> - if (len >= 4) {
> - buf[3] = dz;
> - l = 4;
> + l = 0;
> + if (len > l) {
> + buf[l++] = b;
> }
> + if (len > l) {
> + buf[l++] = dx;
> + }
> + if (len > l) {
> + buf[l++] = dy;
> + }
> + if (len > l) {
> + buf[l++] = dz;
> + }
> +
> return l;
> }
>
> --
> 2.39.1
>
>