[ros-diffs] [reactos] 01/01: [HDAUDBUS] Prevent overflow of the AudioGroups array. CORE-14153 CORE-15465

Wed, 27 Feb 2019 02:05:30 -0800 

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=1f76fb738ae0d988f9fb0bb1006487ca15fa599e

commit 1f76fb738ae0d988f9fb0bb1006487ca15fa599e
Author:     Thomas Faber <thomas.fa...@reactos.org>
AuthorDate: Wed Feb 27 10:51:02 2019 +0100
Commit:     Thomas Faber <thomas.fa...@reactos.org>
CommitDate: Wed Feb 27 11:04:23 2019 +0100

    [HDAUDBUS] Prevent overflow of the AudioGroups array. CORE-14153 CORE-15465
    
    This protects against crashing in case of faulty/malicious hardware,
    but also works around a bug in HDA_SendVerbs that causes it to return
    invalid data, thereby suggesting more groups than are actually present.
---
 drivers/wdm/audio/hdaudbus/fdo.cpp      | 7 +++++++
 drivers/wdm/audio/hdaudbus/hdaudbus.cpp | 1 +
 2 files changed, 8 insertions(+)

diff --git a/drivers/wdm/audio/hdaudbus/fdo.cpp 
b/drivers/wdm/audio/hdaudbus/fdo.cpp
index 84686e3bd3..64a0c6aef0 100644
--- a/drivers/wdm/audio/hdaudbus/fdo.cpp
+++ b/drivers/wdm/audio/hdaudbus/fdo.cpp
@@ -222,6 +222,11 @@ HDA_InitCodec(
         DPRINT1("NodeId %u GroupType %x\n", NodeId, GroupType);
 
         if ((GroupType & FUNCTION_GROUP_NODETYPE_MASK) == 
FUNCTION_GROUP_NODETYPE_AUDIO) {
+            if (Entry->AudioGroupCount >= HDA_MAX_AUDIO_GROUPS)
+            {
+                DPRINT1("Too many audio groups in node %u. Skipping.\n", 
NodeId);
+                break;
+            }
 
             AudioGroup = (PHDA_CODEC_AUDIO_GROUP)AllocateItem(NonPagedPool, 
sizeof(HDA_CODEC_AUDIO_GROUP));
             if (!AudioGroup)
@@ -682,6 +687,7 @@ HDA_FDORemoveDevice(
             continue;
         }
 
+        ASSERT(CodecEntry->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
         for (AFGIndex = 0; AFGIndex < CodecEntry->AudioGroupCount; AFGIndex++)
         {
             ChildPDO = CodecEntry->AudioGroups[AFGIndex]->ChildPDO;
@@ -743,6 +749,7 @@ HDA_FDOQueryBusRelations(
             continue;
 
         Codec = DeviceExtension->Codecs[CodecIndex];
+        ASSERT(Codec->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
         for (AFGIndex = 0; AFGIndex < Codec->AudioGroupCount; AFGIndex++)
         {
             DeviceRelations->Objects[DeviceRelations->Count] = 
Codec->AudioGroups[AFGIndex]->ChildPDO;
diff --git a/drivers/wdm/audio/hdaudbus/hdaudbus.cpp 
b/drivers/wdm/audio/hdaudbus/hdaudbus.cpp
index 3e1ef9d526..aa62a820ba 100644
--- a/drivers/wdm/audio/hdaudbus/hdaudbus.cpp
+++ b/drivers/wdm/audio/hdaudbus/hdaudbus.cpp
@@ -63,6 +63,7 @@ HDA_FdoPnp(
         {
             CodecEntry = FDODeviceExtension->Codecs[CodecIndex];
 
+            ASSERT(CodecEntry->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
             for (AFGIndex = 0; AFGIndex < CodecEntry->AudioGroupCount; 
AFGIndex++)
             {
                 ChildDeviceExtension = 
static_cast<PHDA_PDO_DEVICE_EXTENSION>(CodecEntry->AudioGroups[AFGIndex]->ChildPDO->DeviceExtension);

Reply via email to