diff options
author | Gerald Combs <gerald@wireshark.org> | 2021-01-25 13:41:38 -0800 |
---|---|---|
committer | AndersBroman <a.broman58@gmail.com> | 2021-01-26 05:20:04 +0000 |
commit | 785e291c1be04beebae3f3603752f5737dc1694d (patch) | |
tree | 8de47175da3cdd716f45fac3281f7a70b0fc5abe /epan/dissectors/packet-usb-hid.c | |
parent | 26f0db01a7f7e6c69eee2f1c601444c64ca53e19 (diff) |
USB HID: Avoid allocating a huge amount of memory (second try).
10204490d7 / MR 80 ensured that we didn't grow field.usages due to an
underflow, but it neglected to check for a sane array size. Add another
check to make sure we don't wmem_array_grow() too much. Fixes #17165 and
fixes #16809 more completely.
Diffstat (limited to 'epan/dissectors/packet-usb-hid.c')
-rw-r--r-- | epan/dissectors/packet-usb-hid.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/dissectors/packet-usb-hid.c b/epan/dissectors/packet-usb-hid.c index 92ba29df32..76513bda95 100644 --- a/epan/dissectors/packet-usb-hid.c +++ b/epan/dissectors/packet-usb-hid.c @@ -3339,6 +3339,7 @@ hid_unpack_signed(guint8 *data, unsigned int idx, unsigned int size, gint32 *val } +#define MAX_REPORT_DESCRIPTOR_COUNT 100000 // Arbitrary static gboolean parse_report_descriptor(report_descriptor_t *rdesc) { @@ -3496,6 +3497,10 @@ parse_report_descriptor(report_descriptor_t *rdesc) goto err; } + if (wmem_array_get_count(field.usages) + usage_max - usage_min >= MAX_REPORT_DESCRIPTOR_COUNT) { + goto err; + } + /* min and max are inclusive */ wmem_array_grow(field.usages, usage_max - usage_min + 1); for (guint32 j = usage_min; j <= usage_max; j++) { |