From f4962e7c69a105ae142d9a4343cbc3aa840d8dbd Mon Sep 17 00:00:00 2001
From: Michael Martin <michael.martin@reactos.org>
Date: Fri, 25 Jun 2010 15:50:26 +0000
Subject: [PATCH] [usbehci] - Use the correct offset of
 ROOTHUB2_CONFIGURATION_DESCRIPTOR and ROOTHUB2_INTERFACE_DESCRIPTOR to
 calculate needed buffer sizes. Fixes a buffer overflow crash.

svn path=/trunk/; revision=47845
---
 reactos/drivers/usb/usbehci/pdo.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/reactos/drivers/usb/usbehci/pdo.c b/reactos/drivers/usb/usbehci/pdo.c
index cf84911afa7..d0cf3072b62 100644
--- a/reactos/drivers/usb/usbehci/pdo.c
+++ b/reactos/drivers/usb/usbehci/pdo.c
@@ -394,11 +394,11 @@ PdoDispatchPnp(
                                                             USB_POOL_TAG);
 
             RootHubDevice->Configs[0] = ExAllocatePoolWithTag(NonPagedPool,
-                                                            sizeof(USB_CONFIGURATION) + sizeof(PVOID) * ROOTHUB2_CONFIGURATION_DESCRIPTOR[5],
+                                                            sizeof(USB_CONFIGURATION) + sizeof(PVOID) * ROOTHUB2_CONFIGURATION_DESCRIPTOR[4],
                                                             USB_POOL_TAG);
 
             RootHubDevice->Configs[0]->Interfaces[0] = ExAllocatePoolWithTag(NonPagedPool,
-                                                            sizeof(USB_INTERFACE) + sizeof(PVOID) * ROOTHUB2_INTERFACE_DESCRIPTOR[3],
+                                                            sizeof(USB_INTERFACE) + sizeof(PVOID) * ROOTHUB2_INTERFACE_DESCRIPTOR[4],
                                                             USB_POOL_TAG);
 
             RootHubDevice->Configs[0]->Interfaces[0]->EndPoints[0] = ExAllocatePoolWithTag(NonPagedPool,