libuuu: hidreport: fix read out-of-bound access during write

Since commit 3f512a6 ("libuuu: hidreport: fix write size for Windows") it may happen that the memcpy() does read outside the provided memory. Fix this by moving the Windows HIDAPI workaround behind the memcpy(), here no overflows can happen since the m_out_buff size is at least m_size_out. Signed-off-by: Marco Felsch <[email protected]>
nxp-imx · Nov 16, 2023 · f9080cc · f9080cc
1 parent 26d4b25
commit f9080cc
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/libuuu/hidreport.cpp b/libuuu/hidreport.cpp
@@ -79,17 +79,20 @@ int HIDReport::write(const void *p, size_t sz, uint8_t report_id)
 
 		size_t s = sz - off;
 
+		if (s > m_size_out)
+			s = m_size_out;
+
+		memcpy(m_out_buff.data() + m_size_payload, buff + off, s);
+
 		/*
 		 * The Windows HIDAPI is ver strict. It always require to send
 		 * buffers of the size reported by the HID Report Descriptor.
 		 * Therefore we must to send m_size_out buffers for HID ID 2
 		 * albeit it may not required for the last buffer.
 		 */
-		if (s > m_size_out || report_id == 2)
+		if (report_id == 2)
 			s = m_size_out;
 
-		memcpy(m_out_buff.data() + m_size_payload, buff + off, s);
-
 		int ret = m_pdev->write(m_out_buff.data(), s + m_size_payload);
 
 		if (ret < 0)