MdeModulePkg/AbsPointer: Don't access key codes when length is wrong

Per USB HID spec, the buffer holding key codes should at least 3-byte
long.
Today's code assumes that the key codes buffer length is longer than
3-byte and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 3-byte.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>

diff --git a/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c b/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c
index 965195ca34b496a032187f10d9f2add6b0fc3a4b..42b9147ad8e19f5a22724ea6fe78ffafbd7b60bb 100644 (file)
--- a/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c
+++ b/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c
@@ -813,8 +813,6 @@ OnMouseInterruptComplete (
     return EFI_SUCCESS;\r
   }\r
 \r
-  UsbMouseAbsolutePointerDevice->StateChanged = TRUE;\r
-\r
   //\r
   // Check mouse Data\r
   // USB HID Specification specifies following data format:\r
@@ -827,6 +825,12 @@ OnMouseInterruptComplete (
   // 2       0 to 7  Y displacement\r
   // 3 to n  0 to 7  Device specific (optional)\r
   //\r
+  if (DataLength < 3) {\r
+    return EFI_DEVICE_ERROR;\r
+  }\r
+\r
+  UsbMouseAbsolutePointerDevice->StateChanged = TRUE;\r
+\r
   UsbMouseAbsolutePointerDevice->State.ActiveButtons = *(UINT8 *) Data & (BIT0 | BIT1 | BIT2);\r
 \r
   UsbMouseAbsolutePointerDevice->State.CurrentX =\r