From 9479ce9dae3d0dbe2ce693bd02ccceb018a75fe9 Mon Sep 17 00:00:00 2001
From: Vitali Lovich <vlovich@aliph.com>
Date: Wed, 16 Mar 2011 17:33:57 -0700
Subject: [PATCH] descriptor.c: Fix buffer read overflow caught by valgrind

In parse_interface() an unexpected descriptor would be parsed without
validating the descriptor's length.  It is possible for size to be 0 at
this point, which means that the parsing would read past the end of the
source buffer.  Fix #83 by checking the length of the remaining buffer
before parsing.
---
 libusb/descriptor.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libusb/descriptor.c b/libusb/descriptor.c
index 11480e8..d6ec46c 100644
--- a/libusb/descriptor.c
+++ b/libusb/descriptor.c
@@ -257,11 +257,13 @@ static int parse_interface(libusb_context *ctx,
 		}
 
 		/* Did we hit an unexpected descriptor? */
-		usbi_parse_descriptor(buffer, "bb", &header, 0);
-		if ((size >= DESC_HEADER_LENGTH) &&
-				((header.bDescriptorType == LIBUSB_DT_CONFIG) ||
-				 (header.bDescriptorType == LIBUSB_DT_DEVICE)))
-			return parsed;
+		if (size >= DESC_HEADER_LENGTH) {
+			usbi_parse_descriptor(buffer, "bb", &header, 0);
+			if ((header.bDescriptorType == LIBUSB_DT_CONFIG) ||
+			    (header.bDescriptorType == LIBUSB_DT_DEVICE)) {
+				return parsed;
+			}
+		}
 
 		if (ifp->bNumEndpoints > USB_MAXENDPOINTS) {
 			usbi_err(ctx, "too many endpoints (%d)", ifp->bNumEndpoints);
-- 
2.34.1