USB HID: Avoid allocating a huge amount of memory (second try).

10204490d7 / MR 80 ensured that we didn't grow field.usages due to an underflow, but it neglected to check for a sane array size. Add another check to make sure we don't wmem_array_grow() too much. Fixes #17165 and fixes #16809 more completely.
2021-01-25 13:41:38 -08:00 · 2021-01-25 13:41:38 -08:00 · 785e291c1b
parent 26f0db01a7
commit 785e291c1b
1 changed files with 5 additions and 0 deletions
--- a/epan/dissectors/packet-usb-hid.c
+++ b/epan/dissectors/packet-usb-hid.c
@ -3339,6 +3339,7 @@ hid_unpack_signed(guint8 *data, unsigned int idx, unsigned int size, gint32 *val
 }


+#define MAX_REPORT_DESCRIPTOR_COUNT 100000 // Arbitrary
 static gboolean
 parse_report_descriptor(report_descriptor_t *rdesc)
 {
@ -3496,6 +3497,10 @@ parse_report_descriptor(report_descriptor_t *rdesc)
                            goto err;
                        }

+                        if (wmem_array_get_count(field.usages) + usage_max - usage_min >= MAX_REPORT_DESCRIPTOR_COUNT) {
+                            goto err;
+                        }
+
                        /* min and max are inclusive */
                        wmem_array_grow(field.usages, usage_max - usage_min + 1);
                        for (guint32 j = usage_min; j <= usage_max; j++) {