RĂ©mi Bernon <rbernon(a)codeweavers.com> writes:
@@ -3308,16 +3308,18 @@ DECL_HANDLER(get_rawinput_buffer) { struct message *msg = LIST_ENTRY( ptr, struct message, entry ); struct hardware_msg_data *data = msg->data; + data_size_t hid_size = data->rawinput.type != RIM_TYPEHID ? 0 : data->rawinput.hid.length; + data_size_t data_size = sizeof(*data) + hid_size;
You can't trust the length passed by the client.
@@ -408,9 +424,11 @@ static void dump_rawinput( const char *prefix, const union rawinput *rawinput ) rawinput->kbd.message, rawinput->kbd.vkey, rawinput->kbd.scan ); break; case RIM_TYPEHID: - fprintf( stderr, "%s{type=HID,device=%04x,param=%04x,page=%04hx,usage=%04hx}", + fprintf( stderr, "%s{type=HID,device=%04x,param=%04x,page=%04hx,usage=%04hx,length=%u", prefix, rawinput->hid.device, rawinput->hid.param, rawinput->hid.usage_page, - rawinput->hid.usage ); + rawinput->hid.usage, rawinput->hid.length ); + dump_varargs_bytes( ",report=", rawinput->hid.length );
Same here. -- Alexandre Julliard julliard(a)winehq.org