Merge commit from fork

fdesbiens · web-flow · commit 652c2949ebd4 · 2025-09-29T19:51:38.000+01:00
Add bounds check for sampling frequency in audio descriptor parsing
diff --git a/common/usbx_host_classes/src/ux_host_class_audio_descriptors_parse.c b/common/usbx_host_classes/src/ux_host_class_audio_descriptors_parse.c
@@ -102,7 +102,7 @@ UINT                                            status;
 
     /* Ensure the instance is valid.  */
     if (_ux_host_stack_class_instance_verify(_ux_system_host_class_audio_name, (VOID *) audio) != UX_SUCCESS)
-    {        
+    {
 
         /* Error trap. */
         _ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_HOST_CLASS_INSTANCE_UNKNOWN);
@@ -134,12 +134,13 @@ UINT                                            status;
 
         /* Gather the length, type and subtype of the descriptor.  */
         descriptor_length =   *descriptor;
-        descriptor_type =     *(descriptor + 1);
 
-        /* Make sure this descriptor has at least the minimum length.  */
+                /* Make sure this descriptor has at least the minimum length.  */
         if (descriptor_length < 3)
             return(UX_DESCRIPTOR_CORRUPTED);
 
+        descriptor_type =     *(descriptor + 1);
+
         /* Process relative to descriptor type.  */
         switch (descriptor_type)
         {
@@ -173,7 +174,6 @@ UINT                                            status;
             /* Have we found the audio interface yet?  */
             if (interface_descriptor != UX_NULL)
             {
-
                 /* Yes, parse the audio specific descriptor.  */
                 status = parse_function(arg, interface_descriptor, endpoint_descriptor, descriptor);
 
diff --git a/common/usbx_host_classes/src/ux_host_class_audio_raw_sampling_parse.c b/common/usbx_host_classes/src/ux_host_class_audio_raw_sampling_parse.c
@@ -161,6 +161,7 @@ struct UX_HOST_CLASS_AUDIO10_SAM_PARSER           *parser = (struct UX_HOST_CLAS
 UX_HOST_CLASS_AUDIO_SAMPLING_CHARACTERISTICS    sam_attr;
 ULONG                                           n, offset;
 UINT                                            status;
+UINT descriptor_length = packed_audio_descriptor[0];
 
     UX_PARAMETER_NOT_USED(packed_endpoint_descriptor);
 
@@ -178,10 +179,32 @@ UINT                                            status;
     if (packed_audio_descriptor[2] != UX_HOST_CLASS_AUDIO_CS_FORMAT_TYPE)
         return(0);
 
+    if (descriptor_length < 4)
+    {
+        /* Error trap. */
+        _ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
+
+        /* If trace is enabled, insert this event into the trace buffer.  */
+        UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
+
+        return(UX_DESCRIPTOR_CORRUPTED);
+    }
+
     /* Check bFormatType @ 3.  */
     if (packed_audio_descriptor[3] != UX_HOST_CLASS_AUDIO_FORMAT_TYPE_I)
         return(0);
 
+    if (descriptor_length < 8)
+    {
+        /* Error trap. */
+        _ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
+
+        /* If trace is enabled, insert this event into the trace buffer.  */
+        UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
+
+        return(UX_DESCRIPTOR_CORRUPTED);
+    }
+
     /* Get bNrChannels @ 4.  */
     sam_attr.ux_host_class_audio_sampling_characteristics_channels = packed_audio_descriptor[4];
 
@@ -196,6 +219,16 @@ UINT                                            status;
     /* Check bSamFreqType @ 7.  */
     if (packed_audio_descriptor[7] == 0)
     {
+        if (descriptor_length < 14)
+        {
+          /* Error trap. */
+          _ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
+
+          /* If trace is enabled, insert this event into the trace buffer.  */
+          UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
+
+          return(UX_DESCRIPTOR_CORRUPTED);
+        }
 
         /* Continuous, get dLowSamFreq and dHighSamFreq.  */
         sam_attr.ux_host_class_audio_sampling_characteristics_frequency_low =
@@ -213,6 +246,16 @@ UINT                                            status;
     }
     else
     {
+        if (descriptor_length < (8 + (3 * packed_audio_descriptor[7])))
+        {
+          /* Error trap. */
+          _ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
+
+          /* If trace is enabled, insert this event into the trace buffer.  */
+          UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
+
+          return(UX_DESCRIPTOR_CORRUPTED);
+        }
 
         /* Parse list of sampling characteristics.  */
         for (n = 0, offset = 8;
@@ -271,6 +314,7 @@ static UINT  _ux_host_class_audio_ac_find_parse(VOID  *arg,
                               UCHAR *packed_audio_descriptor)
 {
 struct UX_HOST_CLASS_AUDIO_AC_DESCR_FINDER_STRUCT *finder = (struct UX_HOST_CLASS_AUDIO_AC_DESCR_FINDER_STRUCT *)arg;
+UINT descriptor_length = packed_audio_descriptor[0];
 
     UX_PARAMETER_NOT_USED(packed_endpoint_descriptor);
 
@@ -289,6 +333,17 @@ struct UX_HOST_CLASS_AUDIO_AC_DESCR_FINDER_STRUCT *finder = (struct UX_HOST_CLAS
     if (packed_audio_descriptor[2] != finder -> subtype)
         return(0);
 
+    if (descriptor_length < 4)
+    {
+        /* Error trap. */
+        _ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
+
+        /* If trace is enabled, insert this event into the trace buffer.  */
+        UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
+
+        return(0);
+    }
+
     /* Check bEntityID @ 3.  */
     if (packed_audio_descriptor[3] != finder -> id)
         return(0);
@@ -332,7 +387,7 @@ UINT            status;
 
     if (audio -> ux_host_class_audio_type == UX_HOST_CLASS_AUDIO_INPUT)
     {
-    
+
         /* If audio input, streaming is from output terminal (OT).  */
         descriptor = _ux_host_class_audio_ac_find(audio,
                                         UX_CLASS_AUDIO20_AC_OUTPUT_TERMINAL,
@@ -546,6 +601,7 @@ UX_TRANSFER                                     *transfer;
 UCHAR                                           *buffer;
 ULONG                                           n_sub, param_len, offset;
 UX_HOST_CLASS_AUDIO_SAMPLING_CHARACTERISTICS    sam_attr;
+UINT descriptor_length = packed_audio_descriptor[0];
 
     UX_PARAMETER_NOT_USED(packed_endpoint_descriptor);
 
@@ -571,6 +627,19 @@ UX_HOST_CLASS_AUDIO_SAMPLING_CHARACTERISTICS    sam_attr;
     /* Check bDescriptorSubType@2, bFormatType@3 to confirm FORMAT_TYPE_I.  */
     if (packed_audio_descriptor[2] != UX_CLASS_AUDIO20_AS_FORMAT_TYPE)
         return(0);
+
+    if (descriptor_length < 6)
+    {
+        /* Error trap. */
+        _ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
+
+        /* If trace is enabled, insert this event into the trace buffer.  */
+        UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
+
+        parser -> status = UX_DESCRIPTOR_CORRUPTED;
+        return(1);
+    }
+
     if (packed_audio_descriptor[3] != UX_CLASS_AUDIO20_FORMAT_TYPE_I)
         return(0);
 
@@ -654,7 +723,7 @@ UX_HOST_CLASS_AUDIO_SAMPLING_CHARACTERISTICS    sam_attr;
         parser -> status = UX_MATH_OVERFLOW;
         return(1);
     }
- 
+
     /* Allocate buffer for GET_RANGE.  */
     buffer = _ux_utility_memory_allocate(UX_NO_ALIGN, UX_CACHE_SAFE_MEMORY, param_len);
     if (buffer == UX_NULL)
