DM USB: Fix potential crash issues.

This patch fix some potential crash issues, like wild
pointers access, buffer overflow and etc.

Change-Id: Iddd8e1820da426adc6b9b4d9da9e44017d9f365c
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Reviewed-by: Yu Wang <yu1.wang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>

Author: xiaoguangwu

devicemodel/hw/pci/xhci.c

@@ -748,7 +748,8 @@ pci_xhci_dev_destroy(struct pci_xhci_dev_emu *de)
 				if (ue->ue_deinit)
 					ue->ue_deinit(ud);
 			}
-		}
+		} else
+			return;
 
 		if (ue->ue_devtype == USB_DEV_PORT_MAPPER)
 			free(ue);
@@ -3314,7 +3315,8 @@ pci_xhci_parse_bus_port(struct pci_xhci_vdev *xdev, char *opts)
 
 	/* 'bus-port' format */
 	cnt = sscanf(opts, "%u-%u", &bus, &port);
-	if (cnt == EOF || cnt < 2) {
+	if (cnt == EOF || cnt < 2 || bus >= USB_NATIVE_NUM_BUS ||
+			port >= USB_NATIVE_NUM_PORT) {
 		rc = -1;
 		goto errout;
 	}
@@ -3534,7 +3536,10 @@ pci_xhci_parse_opts(struct pci_xhci_vdev *xdev, char *opts)
 			xdev->portregs = NULL;
 		}
 		UPRINTF(LFTL, "fail to parse xHCI options, rc=%d\r\n", rc);
-		pci_xhci_device_usage(opts);
+
+		if (opts)
+			pci_xhci_device_usage(opts);
+
 		return rc;
 	}
 

devicemodel/hw/platform/usb_pmapper.c

@@ -149,7 +149,7 @@ usb_dev_prepare_xfer(struct usb_data_xfer *xfer, int *count, int *size)
 	found = 0;
 	first = -1;
 	c = s = 0;
-	if (!count || !size)
+	if (!count || !size || idx < 0 || idx >= USB_MAX_XFER_BLOCKS)
 		return -1;
 
 	for (i = 0; i < xfer->ndata; i++) {
@@ -452,6 +452,10 @@ usb_dev_prepare_ctrl_xfer(struct usb_data_xfer *xfer)
 	struct usb_data_xfer_block *blk = NULL;
 
 	idx = xfer->head;
+
+	if (idx < 0 || idx >= USB_MAX_XFER_BLOCKS)
+		return NULL;
+
 	for (i = 0; i < xfer->ndata; i++) {
 		/*
 		 * find out the data block and set every