Signed-off-by: Rémi Bernon rbernon@codeweavers.com --- dlls/hidclass.sys/device.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c index 82366ad1888..bbb7205a2e8 100644 --- a/dlls/hidclass.sys/device.c +++ b/dlls/hidclass.sys/device.c @@ -587,8 +587,16 @@ NTSTATUS WINAPI pdo_read(DEVICE_OBJECT *device, IRP *irp) UINT buffer_size = RingBuffer_GetBufferSize(ext->u.pdo.ring_buffer); NTSTATUS rc = STATUS_SUCCESS; IO_STACK_LOCATION *irpsp = IoGetCurrentIrpStackLocation(irp); + const WINE_HIDP_PREPARSED_DATA *data = ext->u.pdo.preparsed_data; int ptr = -1;
+ if (irpsp->Parameters.Read.Length < data->caps.InputReportByteLength) + { + irp->IoStatus.Status = STATUS_INVALID_BUFFER_SIZE; + IoCompleteRequest(irp, IO_NO_INCREMENT); + return STATUS_INVALID_BUFFER_SIZE; + } + packet = malloc(buffer_size); ptr = PtrToUlong( irp->Tail.Overlay.OriginalFileObject->FsContext );
@@ -664,6 +672,13 @@ NTSTATUS WINAPI pdo_write(DEVICE_OBJECT *device, IRP *irp) ULONG max_len; NTSTATUS rc;
+ if (irpsp->Parameters.Write.Length < data->caps.OutputReportByteLength) + { + irp->IoStatus.Status = irpsp->Parameters.Write.Length ? STATUS_INVALID_PARAMETER : STATUS_INVALID_BUFFER_SIZE; + IoCompleteRequest(irp, IO_NO_INCREMENT); + return irp->IoStatus.Status; + } + irp->IoStatus.Information = 0;
TRACE_(hid_report)("Device %p Buffer length %i Buffer %p\n", device, irpsp->Parameters.Write.Length, irp->AssociatedIrp.SystemBuffer);