diff options
| author | reillyg <reillyg@chromium.org> | 2014-08-24 00:11:46 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2014-08-24 07:13:02 +0000 |
| commit | 70cdd67c0293cef1216422386ff92018770c4b70 (patch) | |
| tree | 6aa4877338c58365efc97f406e7beac8dbafc52d /device | |
| parent | c92d18afd4b6e965345ddef87b9716480f48c665 (diff) | |
| download | chromium_src-70cdd67c0293cef1216422386ff92018770c4b70.zip chromium_src-70cdd67c0293cef1216422386ff92018770c4b70.tar.gz chromium_src-70cdd67c0293cef1216422386ff92018770c4b70.tar.bz2 | |
Store HID report sizes as uint16_t.
HID report sizes are unsigned values. In addition they should (because
of the limited size of USB control transfers) never be larger than 64k.
In reality that would be an absolutely enormous report and unlikely to
ever been seen in the wild. By limiting the storage size for report
lengths to a uint16_t we therefore also limit our exposure to being
convinced to allocate unreasonably large buffers by a malicious device.
The Windows HID parser already limits report sizes to a USHORT value.
BUG=
Review URL: https://codereview.chromium.org/492963007
Cr-Commit-Position: refs/heads/master@{#291624}
Diffstat (limited to 'device')
| -rw-r--r-- | device/hid/hid_device_info.h | 6 | ||||
| -rw-r--r-- | device/hid/hid_report_descriptor.cc | 20 | ||||
| -rw-r--r-- | device/hid/hid_report_descriptor.h | 6 | ||||
| -rw-r--r-- | device/hid/hid_report_descriptor_unittest.cc | 12 |
4 files changed, 22 insertions, 22 deletions
diff --git a/device/hid/hid_device_info.h b/device/hid/hid_device_info.h index dde2f12..f42a859 100644 --- a/device/hid/hid_device_info.h +++ b/device/hid/hid_device_info.h @@ -45,9 +45,9 @@ struct HidDeviceInfo { // Top-Level Collections information. std::vector<HidCollectionInfo> collections; bool has_report_id; - int max_input_report_size; - int max_output_report_size; - int max_feature_report_size; + uint16_t max_input_report_size; + uint16_t max_output_report_size; + uint16_t max_feature_report_size; }; } // namespace device diff --git a/device/hid/hid_report_descriptor.cc b/device/hid/hid_report_descriptor.cc index c461004..d8031d3 100644 --- a/device/hid/hid_report_descriptor.cc +++ b/device/hid/hid_report_descriptor.cc @@ -29,9 +29,9 @@ HidReportDescriptor::~HidReportDescriptor() {} void HidReportDescriptor::GetDetails( std::vector<HidCollectionInfo>* top_level_collections, bool* has_report_id, - int* max_input_report_size, - int* max_output_report_size, - int* max_feature_report_size) { + uint16_t* max_input_report_size, + uint16_t* max_output_report_size, + uint16_t* max_feature_report_size) { DCHECK(top_level_collections); DCHECK(max_input_report_size); DCHECK(max_output_report_size); @@ -45,13 +45,13 @@ void HidReportDescriptor::GetDetails( // Global tags data: HidUsageAndPage::Page current_usage_page = HidUsageAndPage::kPageUndefined; - int current_report_count = 0; - int cached_report_count = 0; - int current_report_size = 0; - int cached_report_size = 0; - int current_input_report_size = 0; - int current_output_report_size = 0; - int current_feature_report_size = 0; + uint16_t current_report_count = 0; + uint16_t cached_report_count = 0; + uint16_t current_report_size = 0; + uint16_t cached_report_size = 0; + uint16_t current_input_report_size = 0; + uint16_t current_output_report_size = 0; + uint16_t current_feature_report_size = 0; // Local tags data: uint16_t current_usage = 0; diff --git a/device/hid/hid_report_descriptor.h b/device/hid/hid_report_descriptor.h index b5017b7..1719e94 100644 --- a/device/hid/hid_report_descriptor.h +++ b/device/hid/hid_report_descriptor.h @@ -29,9 +29,9 @@ class HidReportDescriptor { // together with max report sizes void GetDetails(std::vector<HidCollectionInfo>* top_level_collections, bool* has_report_id, - int* max_input_report_size, - int* max_output_report_size, - int* max_feature_report_size); + uint16_t* max_input_report_size, + uint16_t* max_output_report_size, + uint16_t* max_feature_report_size); private: std::vector<linked_ptr<HidReportDescriptorItem> > items_; diff --git a/device/hid/hid_report_descriptor_unittest.cc b/device/hid/hid_report_descriptor_unittest.cc index 0cce2e6..8bc04f1 100644 --- a/device/hid/hid_report_descriptor_unittest.cc +++ b/device/hid/hid_report_descriptor_unittest.cc @@ -298,18 +298,18 @@ class HidReportDescriptorTest : public testing::Test { void ValidateDetails( const std::vector<HidCollectionInfo>& expected_collections, const bool expected_has_report_id, - const int expected_max_input_report_size, - const int expected_max_output_report_size, - const int expected_max_feature_report_size, + const uint16_t expected_max_input_report_size, + const uint16_t expected_max_output_report_size, + const uint16_t expected_max_feature_report_size, const uint8_t* bytes, size_t size) { descriptor_ = new HidReportDescriptor(bytes, size); std::vector<HidCollectionInfo> actual_collections; bool actual_has_report_id; - int actual_max_input_report_size; - int actual_max_output_report_size; - int actual_max_feature_report_size; + uint16_t actual_max_input_report_size; + uint16_t actual_max_output_report_size; + uint16_t actual_max_feature_report_size; descriptor_->GetDetails(&actual_collections, &actual_has_report_id, &actual_max_input_report_size, |