Per USB HID spec, the buffer holding key codes should at least 3-byte
long.
Today's code assumes that the key codes buffer length is longer than
3-byte and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 3-byte.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
return EFI_SUCCESS;\r
}\r
\r
- UsbMouseDevice->StateChanged = TRUE;\r
-\r
//\r
// Check mouse Data\r
// USB HID Specification specifies following data format:\r
// 2 0 to 7 Y displacement\r
// 3 to n 0 to 7 Device specific (optional)\r
//\r
+ if (DataLength < 3) {\r
+ return EFI_DEVICE_ERROR;\r
+ }\r
+\r
+ UsbMouseDevice->StateChanged = TRUE;\r
+\r
UsbMouseDevice->State.LeftButton = (BOOLEAN) ((*(UINT8 *) Data & BIT0) != 0);\r
UsbMouseDevice->State.RightButton = (BOOLEAN) ((*(UINT8 *) Data & BIT1) != 0);\r
UsbMouseDevice->State.RelativeMovementX += *((INT8 *) Data + 1);\r