Skip to content

Commit ef26ed2

Browse files
YouwYouw
committed
fix possible null-pointer dereference
1 parent 3c24d0d commit ef26ed2

File tree

1 file changed

+12
-4
lines changed

1 file changed

+12
-4
lines changed

libusb/hid.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1679,7 +1679,7 @@ int HID_API_EXPORT hid_send_feature_report(hid_device *dev, const unsigned char
16791679
{
16801680
int res = -1;
16811681
int skipped_report_id = 0;
1682-
int report_number = data[0];
1682+
int report_number;
16831683

16841684
if (!data || !length) {
16851685
register_string_error(&dev->error, "Zero buffer/length");
@@ -1688,6 +1688,8 @@ int HID_API_EXPORT hid_send_feature_report(hid_device *dev, const unsigned char
16881688

16891689
register_libusb_error(&dev->error, LIBUSB_SUCCESS, NULL);
16901690

1691+
report_number = data[0]
1692+
16911693
if (report_number == 0x0) {
16921694
data++;
16931695
length--;
@@ -1718,7 +1720,7 @@ int HID_API_EXPORT hid_get_feature_report(hid_device *dev, unsigned char *data,
17181720
{
17191721
int res = -1;
17201722
int skipped_report_id = 0;
1721-
int report_number = data[0];
1723+
int report_number;
17221724

17231725
if (!data || !length) {
17241726
register_string_error(&dev->error, "Zero buffer/length");
@@ -1727,6 +1729,8 @@ int HID_API_EXPORT hid_get_feature_report(hid_device *dev, unsigned char *data,
17271729

17281730
register_libusb_error(&dev->error, LIBUSB_SUCCESS, NULL);
17291731

1732+
report_number = data[0]
1733+
17301734
if (report_number == 0x0) {
17311735
/* Offset the return buffer by 1, so that the report ID
17321736
will remain in byte 0. */
@@ -1757,7 +1761,7 @@ int HID_API_EXPORT hid_send_output_report(hid_device *dev, const unsigned char *
17571761
{
17581762
int res = -1;
17591763
int skipped_report_id = 0;
1760-
int report_number = data[0];
1764+
int report_number;
17611765

17621766
if (!data || !length) {
17631767
register_string_error(&dev->error, "Zero buffer/length");
@@ -1766,6 +1770,8 @@ int HID_API_EXPORT hid_send_output_report(hid_device *dev, const unsigned char *
17661770

17671771
register_libusb_error(&dev->error, LIBUSB_SUCCESS, NULL);
17681772

1773+
report_number = data[0]
1774+
17691775
if (report_number == 0x0) {
17701776
data++;
17711777
length--;
@@ -1796,7 +1802,7 @@ int HID_API_EXPORT HID_API_CALL hid_get_input_report(hid_device *dev, unsigned c
17961802
{
17971803
int res = -1;
17981804
int skipped_report_id = 0;
1799-
int report_number = data[0];
1805+
int report_number;
18001806

18011807
if (!data || !length) {
18021808
register_string_error(&dev->error, "Zero buffer/length");
@@ -1805,6 +1811,8 @@ int HID_API_EXPORT HID_API_CALL hid_get_input_report(hid_device *dev, unsigned c
18051811

18061812
register_libusb_error(&dev->error, LIBUSB_SUCCESS, NULL);
18071813

1814+
report_number = data[0];
1815+
18081816
if (report_number == 0x0) {
18091817
/* Offset the return buffer by 1, so that the report ID
18101818
will remain in byte 0. */

0 commit comments

Comments
 (0)