diff options
| author | Matt Reynolds <mattreynolds@google.com> | 2023-03-14 11:25:00 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-03 15:24:36 +0000 |
| commit | 15e98b4f66df8a57125784f1402da0cb68ec5ef0 (patch) | |
| tree | 7cf4889ca2a14e95418659cfa63a1d928141eb7e | |
| parent | 8f62524f1bd1d07bb6c5052391a5f82110f217e0 (diff) | |
| download | qtwebengine-chromium-15e98b4f66df8a57125784f1402da0cb68ec5ef0.tar.gz | |
[Backport] CVE-2023-1529: Out of bounds memory access in WebHID
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4320692:
hid: Handle empty input reports
It's possible for a HID device to define its report descriptor such that
one or more reports have no data fields within the report. When receiving these reports, the report buffer should contain only the
report ID byte and no other data.
Ensure that we do not read past the end of the buffer when handling
zero-length input reports.
(cherry picked from commit c9d77da78bc66c135520ac77873d67b89cdcaee6)
Bug: 1419718
Change-Id: I51d32c20f6b16f0d2b0172e0a165469b6b79748c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4296562
Commit-Queue: Matt Reynolds <mattreynolds@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1112009}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4320692
Commit-Queue: Reilly Grant <reillyg@chromium.org>
Auto-Submit: Matt Reynolds <mattreynolds@chromium.org>
Cr-Commit-Position: refs/branch-heads/5481@{#1341}
Cr-Branched-From: 130f3e4d850f4bc7387cfb8d08aa993d288a67a9-refs/heads/main@{#1084008}
(cherry picked from commit b041159d06adbf7487639bd33a261cc0270d7a34)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468502
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/services/device/hid/hid_connection_impl.cc | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/chromium/services/device/hid/hid_connection_impl.cc b/chromium/services/device/hid/hid_connection_impl.cc index c413123e121..adfaa66b760 100644 --- a/chromium/services/device/hid/hid_connection_impl.cc +++ b/chromium/services/device/hid/hid_connection_impl.cc @@ -54,11 +54,12 @@ void HidConnectionImpl::OnInputReport( scoped_refptr<base::RefCountedBytes> buffer, size_t size) { DCHECK(client_); - uint8_t report_id = buffer->data()[0]; - uint8_t* begin = &buffer->data()[1]; - uint8_t* end = buffer->data().data() + size; - std::vector<uint8_t> data(begin, end); - client_->OnInputReport(report_id, data); + DCHECK_GE(size, 1u); + std::vector<uint8_t> data; + if (size > 1) { + data = std::vector<uint8_t>(buffer->front() + 1, buffer->front() + size); + } + client_->OnInputReport(/*report_id=*/buffer->data()[0], data); } void HidConnectionImpl::Read(ReadCallback callback) { |