descriptor.c: Fix buffer read overflow caught by valgrind

In parse_interface() an unexpected descriptor would be parsed without
validating the descriptor's length.  It is possible for size to be 0 at
this point, which means that the parsing would read past the end of the
source buffer.  Fix #83 by checking the length of the remaining buffer
before parsing.

diff --git a/libusb/descriptor.c b/libusb/descriptor.c
index 11480e86c4e373b03512fdfc7a286ca7b99540f7..d6ec46c1bd68dbd3cd6051671ff08736c4439eba 100644 (file)
--- a/libusb/descriptor.c
+++ b/libusb/descriptor.c
@@ -257,11 +257,13 @@ static int parse_interface(libusb_context *ctx,
                }
 
                /* Did we hit an unexpected descriptor? */
-               usbi_parse_descriptor(buffer, "bb", &header, 0);
-               if ((size >= DESC_HEADER_LENGTH) &&
-                               ((header.bDescriptorType == LIBUSB_DT_CONFIG) ||
-                                (header.bDescriptorType == LIBUSB_DT_DEVICE)))
-                       return parsed;
+               if (size >= DESC_HEADER_LENGTH) {
+                       usbi_parse_descriptor(buffer, "bb", &header, 0);
+                       if ((header.bDescriptorType == LIBUSB_DT_CONFIG) ||
+                           (header.bDescriptorType == LIBUSB_DT_DEVICE)) {
+                               return parsed;
+                       }
+               }
 
                if (ifp->bNumEndpoints > USB_MAXENDPOINTS) {
                        usbi_err(ctx, "too many endpoints (%d)", ifp->bNumEndpoints);