diff options
author | Ruiyu Ni <ruiyu.ni@intel.com> | 2018-09-13 15:49:23 +0800 |
---|---|---|
committer | Ruiyu Ni <ruiyu.ni@intel.com> | 2018-10-17 11:04:01 +0800 |
commit | 8bcbe587e794aaaa6506b647732316ce5ba40168 (patch) | |
tree | 22ef006f62b64db008216c5e88566053d94716ba /MdeModulePkg | |
parent | 4d2b5066317d3e16dc8041a3e62d3bfe1c90bb02 (diff) | |
download | edk2-8bcbe587e794aaaa6506b647732316ce5ba40168.zip edk2-8bcbe587e794aaaa6506b647732316ce5ba40168.tar.gz edk2-8bcbe587e794aaaa6506b647732316ce5ba40168.tar.bz2 |
MdeModulePkg/UsbKb: Don't access key codes when length is wrong
Per USB HID spec, the buffer holding key codes should be 8-byte
long.
Today's code assumes that the key codes buffer length is 8-byte
long and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 8-byte.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Diffstat (limited to 'MdeModulePkg')
-rw-r--r-- | MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c index 9cb4b5d..7505951 100644 --- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c +++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c @@ -1059,6 +1059,10 @@ KeyboardHandler ( // Byte 1 is reserved.
// Bytes 2 to 7 are keycodes.
//
+ if (DataLength < 8) {
+ return EFI_DEVICE_ERROR;
+ }
+
CurKeyCodeBuffer = (UINT8 *) Data;
OldKeyCodeBuffer = UsbKeyboardDevice->LastKeyCodeArray;
|