diff options
| author | reillyg <reillyg@chromium.org> | 2014-08-24 00:11:46 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2014-08-24 07:13:02 +0000 |
| commit | 70cdd67c0293cef1216422386ff92018770c4b70 (patch) | |
| tree | 6aa4877338c58365efc97f406e7beac8dbafc52d /device/hid/hid_report_descriptor.cc | |
| parent | c92d18afd4b6e965345ddef87b9716480f48c665 (diff) | |
| download | chromium_src-70cdd67c0293cef1216422386ff92018770c4b70.zip chromium_src-70cdd67c0293cef1216422386ff92018770c4b70.tar.gz chromium_src-70cdd67c0293cef1216422386ff92018770c4b70.tar.bz2 | |
Store HID report sizes as uint16_t.
HID report sizes are unsigned values. In addition they should (because
of the limited size of USB control transfers) never be larger than 64k.
In reality that would be an absolutely enormous report and unlikely to
ever been seen in the wild. By limiting the storage size for report
lengths to a uint16_t we therefore also limit our exposure to being
convinced to allocate unreasonably large buffers by a malicious device.
The Windows HID parser already limits report sizes to a USHORT value.
BUG=
Review URL: https://codereview.chromium.org/492963007
Cr-Commit-Position: refs/heads/master@{#291624}
Diffstat (limited to 'device/hid/hid_report_descriptor.cc')
| -rw-r--r-- | device/hid/hid_report_descriptor.cc | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/device/hid/hid_report_descriptor.cc b/device/hid/hid_report_descriptor.cc index c461004..d8031d3 100644 --- a/device/hid/hid_report_descriptor.cc +++ b/device/hid/hid_report_descriptor.cc @@ -29,9 +29,9 @@ HidReportDescriptor::~HidReportDescriptor() {} void HidReportDescriptor::GetDetails( std::vector<HidCollectionInfo>* top_level_collections, bool* has_report_id, - int* max_input_report_size, - int* max_output_report_size, - int* max_feature_report_size) { + uint16_t* max_input_report_size, + uint16_t* max_output_report_size, + uint16_t* max_feature_report_size) { DCHECK(top_level_collections); DCHECK(max_input_report_size); DCHECK(max_output_report_size); @@ -45,13 +45,13 @@ void HidReportDescriptor::GetDetails( // Global tags data: HidUsageAndPage::Page current_usage_page = HidUsageAndPage::kPageUndefined; - int current_report_count = 0; - int cached_report_count = 0; - int current_report_size = 0; - int cached_report_size = 0; - int current_input_report_size = 0; - int current_output_report_size = 0; - int current_feature_report_size = 0; + uint16_t current_report_count = 0; + uint16_t cached_report_count = 0; + uint16_t current_report_size = 0; + uint16_t cached_report_size = 0; + uint16_t current_input_report_size = 0; + uint16_t current_output_report_size = 0; + uint16_t current_feature_report_size = 0; // Local tags data: uint16_t current_usage = 0; |