WIP: buffer overread

The first iteration of this loop was safe because the beginning of the function checked that `size` is at least LIBUSB_DT_CONFIG_SIZE (9) bytes long.

But for subsequent iterations, it's unclear...

libusb/descriptor.c

@@ -1245,7 +1245,7 @@ static int parse_iad_array(struct libusb_context *ctx,
 	while (consumed < size) {
 		header.bLength = buf[0];
 		header.bDescriptorType = buf[1];
-		if (header.bLength < 2) {
+		if (header.bLength < LIBUSB_SMALLEST_DESCRIPTOR_SIZE) {
 			usbi_err(ctx, "invalid descriptor bLength %d",
 				 header.bLength);
 			return LIBUSB_ERROR_IO;
@@ -1270,12 +1270,12 @@ static int parse_iad_array(struct libusb_context *ctx,
 		iad_array->iad = iad;
 
 		// Second pass: Iterate through desc list, fill IAD structures
-		consumed = 0;
+		int remaining = size;
 		i = 0;
-		while (consumed < size) {
+		do {
 			header.bLength = buffer[0];
 			header.bDescriptorType = buffer[1];
-			if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION) {
+			if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION && (remaining >= LIBUSB_DT_INTERFACE_ASSOCIATION_SIZE)) {
 				iad[i].bLength = buffer[0];
 				iad[i].bDescriptorType = buffer[1];
 				iad[i].bFirstInterface = buffer[2];
@@ -1286,10 +1286,13 @@ static int parse_iad_array(struct libusb_context *ctx,
 				iad[i].iFunction = buffer[7];
 				i++;
 			}
-
+
+			remaining -= header.bLength;
+			if (remaining < LIBUSB_SMALLEST_DESCRIPTOR_SIZE) {
+				break;
+			}
 			buffer += header.bLength;
-			consumed += header.bLength;
-		}
+		} while (1);
 	}
 
 	return LIBUSB_SUCCESS;

libusb/libusb.h

@@ -335,6 +335,8 @@ enum libusb_descriptor_type {
 #define LIBUSB_DT_SS_ENDPOINT_COMPANION_SIZE	6
 #define LIBUSB_DT_BOS_SIZE			5
 #define LIBUSB_DT_DEVICE_CAPABILITY_SIZE	3
+#define LIBUSB_DT_INTERFACE_ASSOCIATION_SIZE			8
+#define LIBUSB_SMALLEST_DESCRIPTOR_SIZE			2	/* length & desc type, like usbi_descriptor_header */
 
 /* BOS descriptor sizes */
 #define LIBUSB_BT_USB_2_0_EXTENSION_SIZE	7