Signed-off-by: Rémi Bernon rbernon@codeweavers.com ---

This happens when reading a 0 byte report. It's probably not supposed to be done, but I think crashing winedevice.exe in that case isn't good either.

dlls/hidclass.sys/device.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)

diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c index 73ea6610ab8..82366ad1888 100644 --- a/dlls/hidclass.sys/device.c +++ b/dlls/hidclass.sys/device.c @@ -345,6 +345,12 @@ static NTSTATUS HID_get_feature(BASE_DEVICE_EXTENSION *ext, IRP *irp) out_buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority); TRACE_(hid_report)("Device %p Buffer length %i Buffer %p\n", ext, irpsp->Parameters.DeviceIoControl.OutputBufferLength, out_buffer);

+ if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !out_buffer) + { + irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL; + return rc; + } + len = sizeof(*packet) + irpsp->Parameters.DeviceIoControl.OutputBufferLength; packet = malloc(len); packet->reportBufferLen = irpsp->Parameters.DeviceIoControl.OutputBufferLength; @@ -495,6 +501,12 @@ NTSTATUS WINAPI pdo_ioctl(DEVICE_OBJECT *device, IRP *irp) BYTE *buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority); ULONG out_length;

+ if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !buffer) + { + irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL; + break; + } + packet = malloc(packet_size);

if (ext->u.pdo.preparsed_data->reports[0].reportID)