Per USB HID spec, the buffer holding key codes should be 8-byte
long.
Today's code assumes that the key codes buffer length is 8-byte
long and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 8-byte.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
// Byte 1 is reserved.\r
// Bytes 2 to 7 are keycodes.\r
//\r
+ if (DataLength < 8) {\r
+ return EFI_DEVICE_ERROR;\r
+ }\r
+\r
CurKeyCodeBuffer = (UINT8 *) Data;\r
OldKeyCodeBuffer = UsbKeyboardDevice->LastKeyCodeArray;\r
\r