USB HID: Avoid allocating a huge amount of memory (second try).

10204490d7 / MR 80 ensured that we didn't grow field.usages due to an underflow, but it neglected to check for a sane array size. Add another check to make sure we don't wmem_array_grow() too much. Fixes #17165 and fixes #16809 more completely.
author: Gerald Combs <gerald@wireshark.org> 2021-01-25 13:41:38 -0800
committer: AndersBroman <a.broman58@gmail.com> 2021-01-26 05:20:04 +0000
commit: 785e291c1be04beebae3f3603752f5737dc1694d (patch)
tree: 8de47175da3cdd716f45fac3281f7a70b0fc5abe /epan/dissectors/packet-usb-hid.c
parent: 26f0db01a7f7e6c69eee2f1c601444c64ca53e19 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/dissectors/packet-usb-hid.c b/epan/dissectors/packet-usb-hid.c
index 92ba29df32..76513bda95 100644
--- a/epan/dissectors/packet-usb-hid.c
+++ b/epan/dissectors/packet-usb-hid.c
@@ -3339,6 +3339,7 @@ hid_unpack_signed(guint8 *data, unsigned int idx, unsigned int size, gint32 *val
 }
 
 
+#define MAX_REPORT_DESCRIPTOR_COUNT 100000 // Arbitrary
 static gboolean
 parse_report_descriptor(report_descriptor_t *rdesc)
 {
@@ -3496,6 +3497,10 @@ parse_report_descriptor(report_descriptor_t *rdesc)
                             goto err;
                         }
 
+                        if (wmem_array_get_count(field.usages) + usage_max - usage_min >= MAX_REPORT_DESCRIPTOR_COUNT) {
+                            goto err;
+                        }
+
                         /* min and max are inclusive */
                         wmem_array_grow(field.usages, usage_max - usage_min + 1);
                         for (guint32 j = usage_min; j <= usage_max; j++) {
author	Gerald Combs <gerald@wireshark.org>	2021-01-25 13:41:38 -0800
committer	AndersBroman <a.broman58@gmail.com>	2021-01-26 05:20:04 +0000
commit	785e291c1be04beebae3f3603752f5737dc1694d (patch)
tree	8de47175da3cdd716f45fac3281f7a70b0fc5abe /epan/dissectors/packet-usb-hid.c
parent	26f0db01a7f7e6c69eee2f1c601444c64ca53e19 (diff)