From: Vitali Lovich <vlovich@aliph.com>
Date: Thu, 17 Mar 2011 00:33:57 +0000 (-0700)
Subject: descriptor.c: Fix buffer read overflow caught by valgrind
X-Git-Tag: upstream/1.0.21~814
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=9479ce9dae3d0dbe2ce693bd02ccceb018a75fe9;p=platform%2Fupstream%2Flibusb.git

descriptor.c: Fix buffer read overflow caught by valgrind

In parse_interface() an unexpected descriptor would be parsed without
validating the descriptor's length.  It is possible for size to be 0 at
this point, which means that the parsing would read past the end of the
source buffer.  Fix #83 by checking the length of the remaining buffer
before parsing.
---

diff --git a/libusb/descriptor.c b/libusb/descriptor.c
index 11480e8..d6ec46c 100644
--- a/libusb/descriptor.c
+++ b/libusb/descriptor.c
@@ -257,11 +257,13 @@ static int parse_interface(libusb_context *ctx,
 		}
 
 		/* Did we hit an unexpected descriptor? */
-		usbi_parse_descriptor(buffer, "bb", &header, 0);
-		if ((size >= DESC_HEADER_LENGTH) &&
-				((header.bDescriptorType == LIBUSB_DT_CONFIG) ||
-				 (header.bDescriptorType == LIBUSB_DT_DEVICE)))
-			return parsed;
+		if (size >= DESC_HEADER_LENGTH) {
+			usbi_parse_descriptor(buffer, "bb", &header, 0);
+			if ((header.bDescriptorType == LIBUSB_DT_CONFIG) ||
+			    (header.bDescriptorType == LIBUSB_DT_DEVICE)) {
+				return parsed;
+			}
+		}
 
 		if (ifp->bNumEndpoints > USB_MAXENDPOINTS) {
 			usbi_err(ctx, "too many endpoints (%d)", ifp->bNumEndpoints);