[reactos] 01/01: [HDAUDBUS] Prevent overflow of the AudioGroups array. CORE-14153 CORE-15465 - Ros-diffs

27 Feb 2019

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=1f76fb738ae0d988f9fb0b...
commit 1f76fb738ae0d988f9fb0bb1006487ca15fa599e
Author:     Thomas Faber thomas.faber@reactos.org
AuthorDate: Wed Feb 27 10:51:02 2019 +0100
Commit:     Thomas Faber thomas.faber@reactos.org
CommitDate: Wed Feb 27 11:04:23 2019 +0100
[HDAUDBUS] Prevent overflow of the AudioGroups array. CORE-14153 CORE-15465
This protects against crashing in case of faulty/malicious hardware,
    but also works around a bug in HDA_SendVerbs that causes it to return
    invalid data, thereby suggesting more groups than are actually present.
---
 drivers/wdm/audio/hdaudbus/fdo.cpp      | 7 +++++++
 drivers/wdm/audio/hdaudbus/hdaudbus.cpp | 1 +
 2 files changed, 8 insertions(+)

diff --git a/drivers/wdm/audio/hdaudbus/fdo.cpp b/drivers/wdm/audio/hdaudbus/fdo.cpp
index 84686e3bd3..64a0c6aef0 100644
--- a/drivers/wdm/audio/hdaudbus/fdo.cpp
+++ b/drivers/wdm/audio/hdaudbus/fdo.cpp
@@ -222,6 +222,11 @@ HDA_InitCodec(
         DPRINT1("NodeId %u GroupType %x\n", NodeId, GroupType);
if ((GroupType & FUNCTION_GROUP_NODETYPE_MASK) == FUNCTION_GROUP_NODETYPE_AUDIO) {
+            if (Entry->AudioGroupCount >= HDA_MAX_AUDIO_GROUPS)
+            {
+                DPRINT1("Too many audio groups in node %u. Skipping.\n", NodeId);
+                break;
+            }
AudioGroup = (PHDA_CODEC_AUDIO_GROUP)AllocateItem(NonPagedPool, sizeof(HDA_CODEC_AUDIO_GROUP));
             if (!AudioGroup)
@@ -682,6 +687,7 @@ HDA_FDORemoveDevice(
             continue;
         }
+        ASSERT(CodecEntry->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
         for (AFGIndex = 0; AFGIndex < CodecEntry->AudioGroupCount; AFGIndex++)
         {
             ChildPDO = CodecEntry->AudioGroups[AFGIndex]->ChildPDO;
@@ -743,6 +749,7 @@ HDA_FDOQueryBusRelations(
             continue;
Codec = DeviceExtension->Codecs[CodecIndex];
+        ASSERT(Codec->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
         for (AFGIndex = 0; AFGIndex < Codec->AudioGroupCount; AFGIndex++)
         {
             DeviceRelations->Objects[DeviceRelations->Count] = Codec->AudioGroups[AFGIndex]->ChildPDO;
diff --git a/drivers/wdm/audio/hdaudbus/hdaudbus.cpp b/drivers/wdm/audio/hdaudbus/hdaudbus.cpp
index 3e1ef9d526..aa62a820ba 100644
--- a/drivers/wdm/audio/hdaudbus/hdaudbus.cpp
+++ b/drivers/wdm/audio/hdaudbus/hdaudbus.cpp
@@ -63,6 +63,7 @@ HDA_FdoPnp(
         {
             CodecEntry = FDODeviceExtension->Codecs[CodecIndex];
+            ASSERT(CodecEntry->AudioGroupCount <= HDA_MAX_AUDIO_GROUPS);
             for (AFGIndex = 0; AFGIndex < CodecEntry->AudioGroupCount; AFGIndex++)
             {
                 ChildDeviceExtension = static_cast<PHDA_PDO_DEVICE_EXTENSION>(CodecEntry->AudioGroups[AFGIndex]->ChildPDO->DeviceExtension);

    