Skip to content

Commit a769f11

Browse files
fdesbiensfdesbiens
authored
Merge commit from fork
add bounds checks for sampling frequency type to identify the right alternate setting
2 parents b1145c2 + 28ca9dd commit a769f11

File tree

1 file changed

+68
-49
lines changed

1 file changed

+68
-49
lines changed

common/usbx_host_classes/src/ux_host_class_audio_alternate_setting_locate.c

Lines changed: 68 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@
1111

1212
/**************************************************************************/
1313
/**************************************************************************/
14-
/** */
15-
/** USBX Component */
14+
/** */
15+
/** USBX Component */
1616
/** */
1717
/** Audio Class */
1818
/** */
@@ -37,44 +37,44 @@ static inline UINT _ux_host_class_audio_alternate_setting_locate_2(
3737
#endif
3838

3939

40-
/**************************************************************************/
41-
/* */
42-
/* FUNCTION RELEASE */
43-
/* */
44-
/* _ux_host_class_audio_alternate_setting_locate PORTABLE C */
40+
/**************************************************************************/
41+
/* */
42+
/* FUNCTION RELEASE */
43+
/* */
44+
/* _ux_host_class_audio_alternate_setting_locate PORTABLE C */
4545
/* 6.1.12 */
4646
/* AUTHOR */
4747
/* */
4848
/* Chaoqiong Xiao, Microsoft Corporation */
4949
/* */
5050
/* DESCRIPTION */
51-
/* */
51+
/* */
5252
/* This function finds the right alternate setting according to the */
53-
/* sampling desired. */
54-
/* */
55-
/* INPUT */
56-
/* */
57-
/* audio Pointer to audio class */
58-
/* audio_sampling Pointer to audio sampling */
59-
/* alternate_setting Pointer to located alternate */
60-
/* setting */
61-
/* */
62-
/* OUTPUT */
63-
/* */
64-
/* Completion Status */
65-
/* */
66-
/* CALLS */
67-
/* */
68-
/* _ux_utility_descriptor_parse Parse descriptor */
69-
/* */
70-
/* CALLED BY */
71-
/* */
72-
/* Audio Class */
73-
/* */
74-
/* RELEASE HISTORY */
75-
/* */
76-
/* DATE NAME DESCRIPTION */
77-
/* */
53+
/* sampling desired. */
54+
/* */
55+
/* INPUT */
56+
/* */
57+
/* audio Pointer to audio class */
58+
/* audio_sampling Pointer to audio sampling */
59+
/* alternate_setting Pointer to located alternate */
60+
/* setting */
61+
/* */
62+
/* OUTPUT */
63+
/* */
64+
/* Completion Status */
65+
/* */
66+
/* CALLS */
67+
/* */
68+
/* _ux_utility_descriptor_parse Parse descriptor */
69+
/* */
70+
/* CALLED BY */
71+
/* */
72+
/* Audio Class */
73+
/* */
74+
/* RELEASE HISTORY */
75+
/* */
76+
/* DATE NAME DESCRIPTION */
77+
/* */
7878
/* 05-19-2020 Chaoqiong Xiao Initial Version 6.0 */
7979
/* 09-30-2020 Chaoqiong Xiao Modified comment(s), */
8080
/* resulting in version 6.1 */
@@ -101,23 +101,21 @@ UINT interface_found;
101101
ULONG lower_frequency;
102102
ULONG higher_frequency;
103103
UINT specific_frequency_count;
104-
104+
105105

106106
/* Get the descriptor to the entire configuration. */
107107
descriptor = audio -> ux_host_class_audio_configuration_descriptor;
108108
total_descriptor_length = audio -> ux_host_class_audio_configuration_descriptor_length;
109-
110-
/* Default is Interface descriptor not yet found. */
109+
110+
/* Default is Interface descriptor not yet found. */
111111
interface_found = UX_FALSE;
112-
112+
113113
/* Scan the descriptor for the Audio Streaming interface. */
114114
while (total_descriptor_length)
115115
{
116116

117117
/* Gather the length, type and subtype of the descriptor. */
118118
descriptor_length = *descriptor;
119-
descriptor_type = *(descriptor + 1);
120-
descriptor_subtype = *(descriptor + 2);
121119

122120
/* Make sure this descriptor has at least the minimum length. */
123121
if (descriptor_length < 3)
@@ -131,6 +129,10 @@ UINT specific_frequency_count;
131129

132130
return(UX_DESCRIPTOR_CORRUPTED);
133131
}
132+
133+
descriptor_type = *(descriptor + 1);
134+
descriptor_subtype = *(descriptor + 2);
135+
134136
/* Process relative to descriptor type. */
135137
switch (descriptor_type)
136138
{
@@ -149,7 +151,7 @@ UINT specific_frequency_count;
149151

150152
/* Mark we have found it. */
151153
interface_found = UX_TRUE;
152-
154+
153155
/* And memorize the alternate setting. */
154156
*alternate_setting = interface_descriptor.bAlternateSetting;
155157
}
@@ -160,8 +162,8 @@ UINT specific_frequency_count;
160162
interface_found = UX_FALSE;
161163
}
162164
break;
163-
164-
165+
166+
165167
case UX_HOST_CLASS_AUDIO_CS_INTERFACE:
166168

167169
/* First make sure we have found the correct generic interface descriptor. */
@@ -173,7 +175,7 @@ UINT specific_frequency_count;
173175
UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_ENTRIES, (UCHAR *) &audio_interface_descriptor);
174176

175177
/* This descriptor must refer to a PCM audio type. */
176-
if (audio_interface_descriptor.bFormatType != UX_HOST_CLASS_AUDIO_FORMAT_TYPE_I)
178+
if (audio_interface_descriptor.bFormatType != UX_HOST_CLASS_AUDIO_FORMAT_TYPE_I)
177179
break;
178180

179181
/* The number of channels demanded by the application must match. */
@@ -188,18 +190,30 @@ UINT specific_frequency_count;
188190
as a min and max frequency or an array of specified values. */
189191
if (audio_interface_descriptor.bSamFreqType == 0)
190192
{
191-
193+
194+
if (descriptor_length < (UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH + 6))
195+
{
196+
197+
/* Error trap. */
198+
_ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
199+
200+
/* If trace is enabled, insert this event into the trace buffer. */
201+
UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
202+
203+
return(UX_DESCRIPTOR_CORRUPTED);
204+
}
205+
192206
/* The declaration of frequency is contiguous, so get the minimum and maximum */
193207
lower_frequency = (ULONG) *(descriptor + UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH) |
194208
((ULONG) *(descriptor + UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH + 1)) << 8 |
195209
((ULONG) *(descriptor + UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH + 2)) << 16;
196210

197211
higher_frequency = (ULONG) *(descriptor + UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH + 3) |
198-
((ULONG) *(descriptor + UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH + 4)) << 8 |
212+
((ULONG) *(descriptor + UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH + 4)) << 8 |
199213
((ULONG) *(descriptor + UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH + 5)) << 16;
200214

201215
/* Now compare with what is required. */
202-
if ((audio_sampling -> ux_host_class_audio_sampling_frequency >= lower_frequency) &&
216+
if ((audio_sampling -> ux_host_class_audio_sampling_frequency >= lower_frequency) &&
203217
(audio_sampling -> ux_host_class_audio_sampling_frequency <= higher_frequency))
204218
{
205219

@@ -211,6 +225,11 @@ UINT specific_frequency_count;
211225
else
212226
{
213227

228+
if (descriptor_length < (UX_HOST_CLASS_AUDIO_INTERFACE_DESCRIPTOR_LENGTH + (3 * audio_interface_descriptor.bSamFreqType)))
229+
{
230+
return(UX_DESCRIPTOR_CORRUPTED);
231+
}
232+
214233
/* The declaration of the frequency is declared as an array of specific values. */
215234
for (specific_frequency_count = 0; specific_frequency_count < audio_interface_descriptor.bSamFreqType;
216235
specific_frequency_count++)
@@ -229,10 +248,10 @@ UINT specific_frequency_count;
229248
return(UX_SUCCESS);
230249
}
231250
}
232-
}
251+
}
233252
}
234253
break;
235-
}
254+
}
236255

237256
/* Verify if the descriptor is still valid. */
238257
if (descriptor_length > total_descriptor_length)
@@ -243,7 +262,7 @@ UINT specific_frequency_count;
243262

244263
return(UX_DESCRIPTOR_CORRUPTED);
245264
}
246-
265+
247266
/* Jump to the next descriptor if we have not reached the end. */
248267
descriptor += descriptor_length;
249268

0 commit comments

Comments
 (0)