Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-03-30 17:10:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

[HDAUDBUS] Prevent overflow of the AudioGroups array. CORE-14153 CORE-15465

Browse source 
This protects against crashing in case of faulty/malicious hardware,
but also works around a bug in HDA_SendVerbs that causes it to return
invalid data, thereby suggesting more groups than are actually present.
This commit is contained in:
Thomas Faber 2019-02-27 10:51:02 +01:00
parent 8423d8b7e1
commit 1f76fb738a
No known key found for this signature in database
GPG key ID: 076E7C3D44720826
2 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
drivers/wdm/audio/hdaudbus/fdo.cpp
View file

@ -222,6 +222,11 @@ HDA_InitCodec(
DPRINT1("NodeId %u GroupType %x\n", NodeId, GroupType); DPRINT1("NodeId %u GroupType %x\n", NodeId, GroupType);
if ((GroupType & FUNCTION_GROUP_NODETYPE_MASK) == FUNCTION_GROUP_NODETYPE_AUDIO) { if ((GroupType & FUNCTION_GROUP_NODETYPE_MASK) == FUNCTION_GROUP_NODETYPE_AUDIO) {
if (Entry->AudioGroupCount >= HDA_MAX_AUDIO_GROUPS)
{
DPRINT1("Too many audio groups in node %u. Skipping.\n", NodeId);
break;
}
AudioGroup = (PHDA_CODEC_AUDIO_GROUP)AllocateItem(NonPagedPool, sizeof(HDA_CODEC_AUDIO_GROUP)); AudioGroup = (PHDA_CODEC_AUDIO_GROUP)AllocateItem(NonPagedPool, sizeof(HDA_CODEC_AUDIO_GROUP));
if (!AudioGroup) if (!AudioGroup)
@ -682,6 +687,7 @@ HDA_FDORemoveDevice(
continue; continue;
} }
ASSERT(CodecEntry->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
for (AFGIndex = 0; AFGIndex < CodecEntry->AudioGroupCount; AFGIndex++) for (AFGIndex = 0; AFGIndex < CodecEntry->AudioGroupCount; AFGIndex++)
{ {
ChildPDO = CodecEntry->AudioGroups[AFGIndex]->ChildPDO; ChildPDO = CodecEntry->AudioGroups[AFGIndex]->ChildPDO;
@ -743,6 +749,7 @@ HDA_FDOQueryBusRelations(
continue; continue;
Codec = DeviceExtension->Codecs[CodecIndex]; Codec = DeviceExtension->Codecs[CodecIndex];
ASSERT(Codec->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
for (AFGIndex = 0; AFGIndex < Codec->AudioGroupCount; AFGIndex++) for (AFGIndex = 0; AFGIndex < Codec->AudioGroupCount; AFGIndex++)
{ {
DeviceRelations->Objects[DeviceRelations->Count] = Codec->AudioGroups[AFGIndex]->ChildPDO; DeviceRelations->Objects[DeviceRelations->Count] = Codec->AudioGroups[AFGIndex]->ChildPDO;

1
drivers/wdm/audio/hdaudbus/hdaudbus.cpp
View file

@ -63,6 +63,7 @@ HDA_FdoPnp(
{ {
CodecEntry = FDODeviceExtension->Codecs[CodecIndex]; CodecEntry = FDODeviceExtension->Codecs[CodecIndex];
ASSERT(CodecEntry->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
for (AFGIndex = 0; AFGIndex < CodecEntry->AudioGroupCount; AFGIndex++) for (AFGIndex = 0; AFGIndex < CodecEntry->AudioGroupCount; AFGIndex++)
{ {
ChildDeviceExtension = static_cast<PHDA_PDO_DEVICE_EXTENSION>(CodecEntry->AudioGroups[AFGIndex]->ChildPDO->DeviceExtension); ChildDeviceExtension = static_cast<PHDA_PDO_DEVICE_EXTENSION>(CodecEntry->AudioGroups[AFGIndex]->ChildPDO->DeviceExtension);