From de317f587003dbd6203af1c647e2fccb912f8f0d Mon Sep 17 00:00:00 2001
From: Frank Li <frank.li@nxp.com>
Date: Thu, 9 Nov 2023 12:09:06 -0600
Subject: [PATCH] Fixed sdps crash for some size flash.bin

memcpy size can't exceed input memory buffer size.
It is fix for 3f512a61

Signed-off-by: Frank Li <frank.li@nxp.com>
---
 libuuu/hidreport.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libuuu/hidreport.cpp b/libuuu/hidreport.cpp
index 2dfb50af..4d99f760 100644
--- a/libuuu/hidreport.cpp
+++ b/libuuu/hidreport.cpp
@@ -78,6 +78,10 @@ int HIDReport::write(const void *p, size_t sz, uint8_t report_id)
 		m_out_buff[0] = report_id;
 
 		size_t s = sz - off;
+		size_t copy_sz = s;
+
+		if (copy_sz > m_size_out)
+			copy_sz = m_size_out;
 
 		/*
 		 * The Windows HIDAPI is ver strict. It always require to send
@@ -88,7 +92,8 @@ int HIDReport::write(const void *p, size_t sz, uint8_t report_id)
 		if (s > m_size_out || report_id == 2)
 			s = m_size_out;
 
-		memcpy(m_out_buff.data() + m_size_payload, buff + off, s);
+		/* copy_sz can't be bigger then input data size, otherwise access unpaged memory */
+		memcpy(m_out_buff.data() + m_size_payload, buff + off, copy_sz);
 
 		int ret = m_pdev->write(m_out_buff.data(), s + m_size_payload);