From: "Rémi Bernon" <rbernon@codeweavers.com>
Subject: [PATCH 3/6] hidclass.sys: Return read/write errors on invalid sizes.
Message-Id: <20210618120611.703993-3-rbernon@codeweavers.com>
Date: Fri, 18 Jun 2021 14:06:08 +0200
In-Reply-To: <20210618120611.703993-1-rbernon@codeweavers.com>
References: <20210618120611.703993-1-rbernon@codeweavers.com>

Signed-off-by: Rémi Bernon <rbernon@codeweavers.com>
---
 dlls/hidclass.sys/device.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c
index 82366ad1888..bbb7205a2e8 100644
--- a/dlls/hidclass.sys/device.c
+++ b/dlls/hidclass.sys/device.c
@@ -587,8 +587,16 @@ NTSTATUS WINAPI pdo_read(DEVICE_OBJECT *device, IRP *irp)
     UINT buffer_size = RingBuffer_GetBufferSize(ext->u.pdo.ring_buffer);
     NTSTATUS rc = STATUS_SUCCESS;
     IO_STACK_LOCATION *irpsp = IoGetCurrentIrpStackLocation(irp);
+    const WINE_HIDP_PREPARSED_DATA *data = ext->u.pdo.preparsed_data;
     int ptr = -1;
 
+    if (irpsp->Parameters.Read.Length < data->caps.InputReportByteLength)
+    {
+        irp->IoStatus.Status = STATUS_INVALID_BUFFER_SIZE;
+        IoCompleteRequest(irp, IO_NO_INCREMENT);
+        return STATUS_INVALID_BUFFER_SIZE;
+    }
+
     packet = malloc(buffer_size);
     ptr = PtrToUlong( irp->Tail.Overlay.OriginalFileObject->FsContext );
 
@@ -664,6 +672,13 @@ NTSTATUS WINAPI pdo_write(DEVICE_OBJECT *device, IRP *irp)
     ULONG max_len;
     NTSTATUS rc;
 
+    if (irpsp->Parameters.Write.Length < data->caps.OutputReportByteLength)
+    {
+        irp->IoStatus.Status = irpsp->Parameters.Write.Length ? STATUS_INVALID_PARAMETER : STATUS_INVALID_BUFFER_SIZE;
+        IoCompleteRequest(irp, IO_NO_INCREMENT);
+        return irp->IoStatus.Status;
+    }
+
     irp->IoStatus.Information = 0;
 
     TRACE_(hid_report)("Device %p Buffer length %i Buffer %p\n", device, irpsp->Parameters.Write.Length, irp->AssociatedIrp.SystemBuffer);

-- 
2.31.0