From af4b47dca6d5b26c9f5a37b52173ce3d2419837a Mon Sep 17 00:00:00 2001 From: Ihor Dutchak Date: Wed, 2 Oct 2024 16:43:42 +0300 Subject: [PATCH] fix possible null-pointer dereference (#701) --- libusb/hid.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libusb/hid.c b/libusb/hid.c index 77d7d680..56b9fb54 100644 --- a/libusb/hid.c +++ b/libusb/hid.c @@ -1679,7 +1679,7 @@ int HID_API_EXPORT hid_send_feature_report(hid_device *dev, const unsigned char { int res = -1; int skipped_report_id = 0; - int report_number = data[0]; + int report_number; if (!data || !length) { register_string_error(&dev->error, "Zero buffer/length"); @@ -1688,6 +1688,8 @@ int HID_API_EXPORT hid_send_feature_report(hid_device *dev, const unsigned char register_libusb_error(&dev->error, LIBUSB_SUCCESS, NULL); + report_number = data[0]; + if (report_number == 0x0) { data++; length--; @@ -1718,7 +1720,7 @@ int HID_API_EXPORT hid_get_feature_report(hid_device *dev, unsigned char *data, { int res = -1; int skipped_report_id = 0; - int report_number = data[0]; + int report_number; if (!data || !length) { register_string_error(&dev->error, "Zero buffer/length"); @@ -1727,6 +1729,8 @@ int HID_API_EXPORT hid_get_feature_report(hid_device *dev, unsigned char *data, register_libusb_error(&dev->error, LIBUSB_SUCCESS, NULL); + report_number = data[0]; + if (report_number == 0x0) { /* Offset the return buffer by 1, so that the report ID will remain in byte 0. */ @@ -1757,7 +1761,7 @@ int HID_API_EXPORT hid_send_output_report(hid_device *dev, const unsigned char * { int res = -1; int skipped_report_id = 0; - int report_number = data[0]; + int report_number; if (!data || !length) { register_string_error(&dev->error, "Zero buffer/length"); @@ -1766,6 +1770,8 @@ int HID_API_EXPORT hid_send_output_report(hid_device *dev, const unsigned char * register_libusb_error(&dev->error, LIBUSB_SUCCESS, NULL); + report_number = data[0]; + if (report_number == 0x0) { data++; length--; @@ -1796,7 +1802,7 @@ int HID_API_EXPORT HID_API_CALL hid_get_input_report(hid_device *dev, unsigned c { int res = -1; int skipped_report_id = 0; - int report_number = data[0]; + int report_number; if (!data || !length) { register_string_error(&dev->error, "Zero buffer/length"); @@ -1805,6 +1811,8 @@ int HID_API_EXPORT HID_API_CALL hid_get_input_report(hid_device *dev, unsigned c register_libusb_error(&dev->error, LIBUSB_SUCCESS, NULL); + report_number = data[0]; + if (report_number == 0x0) { /* Offset the return buffer by 1, so that the report ID will remain in byte 0. */