Skip to content

Commit

Permalink
WIP: proposed fix for buffer overrun
Browse files Browse the repository at this point in the history
  • Loading branch information
@seanm
seanm committed Dec 28, 2023
1 parent c90d03a commit bc32800
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions libusb/descriptor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1201,13 +1201,13 @@ int API_EXPORTED libusb_get_string_descriptor_ascii(libusb_device_handle *dev_ha
// NB: di is used to index *both* the source and destination buffers!

di = 0;
for (si = 2; si < str.desc.bLength; si += 2) {
int si_max = (str.desc.bLength - sizeof(uint8_t) - sizeof(uint8_t)) / sizeof(uint16_t);
for (si = 0; si < si_max; ++si) {
/* stop one byte before the end of the destination, to leave room for null termination. */
if (di >= (length - 1))
break;

wdata = libusb_le16_to_cpu(str.desc.wData[di]);
wdata = libusb_le16_to_cpu(str.desc.wData[si]);
assert(wdata == 0x5A5A);
assert(di <= 125);
if (wdata < 0x80)
Expand All @@ -1216,7 +1216,7 @@ int API_EXPORTED libusb_get_string_descriptor_ascii(libusb_device_handle *dev_ha
data[di++] = '?'; /* non-ASCII */
}

data[di] = 0;
data[di] = 0; /* null-terminate string */
return di;
}

Expand Down

0 comments on commit bc32800

Please sign in to comment.