VirtualBox

Changeset 35530 in vbox


Ignore:
Timestamp:
Jan 13, 2011 2:38:51 PM (14 years ago)
Author:
vboxsync
Message:

RDP/client: fix memory allocation in USB device enumeration and add some sanity tests

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/VBox/RDP/client/vrdp/rdpusb.c

    r34341 r35530  
    149149unsigned countUSBDevices(PUSBDEVICE pDevices)
    150150{
    151     unsigned i;
    152     PUSBDEVICE pDevice;
    153     for (i = 0, pDevice = pDevices; pDevices->pNext;
    154          ++i, pDevices = pDevices->pNext);
     151    unsigned i = 0;
     152    for (; pDevices; pDevices = pDevices->pNext)
     153        ++i;
    155154    return i;
    156155}
     
    226225{
    227226    char *pBuf;
    228     unsigned cbBuf, iCurrent;
     227    unsigned cDevs, cbBuf, iCurrent;
    229228    uint16_t iNext;
    230229    PUSBDEVICE pCurrent;
    231230
    232     cbBuf = countUSBDevices(pDevices) * DEV_ENTRY_SIZE + 2;
     231    cDevs = countUSBDevices(pDevices);
     232    cbBuf = cDevs * DEV_ENTRY_SIZE + 2;
    233233    pBuf = (char *)xmalloc(cbBuf);
    234234    memset(pBuf, 0, cbBuf);
    235235    for (pCurrent = pDevices, iCurrent = 0; pCurrent;
    236          pCurrent = pCurrent->pNext, iCurrent += iNext)
     236         pCurrent = pCurrent->pNext, iCurrent += iNext, --cDevs)
     237    {
     238        unsigned i, cZeros;
     239
     240        AssertReturnVoidStmt(iCurrent + DEV_ENTRY_SIZE + 2 <= cbBuf,
     241                             free(pBuf));
    237242        fillWireListEntry(pBuf + iCurrent, pCurrent, &iNext);
     243            DevListEntry *pEntry = (DevListEntry *)(pBuf + iCurrent);
     244        /* Sanity tests */
     245        for (i = iCurrent + sizeof(DevListEntry), cZeros = 0;
     246             i < iCurrent + iNext; ++i)
     247             if (pBuf[i] == 0)
     248                 ++cZeros;
     249        AssertReturnVoidStmt(cZeros ==   RT_BOOL(pEntry->oManufacturer)
     250                                       + RT_BOOL(pEntry->oProduct)
     251                                       + RT_BOOL(pEntry->oSerialNumber),
     252                             free(pBuf));
     253        AssertReturnVoidStmt(   pEntry->oManufacturer == 0
     254                             || pBuf[pEntry->oManufacturer] != '\0',
     255                             free(pBuf));
     256        AssertReturnVoidStmt(   pEntry->oProduct == 0
     257                             || pBuf[pEntry->oProduct] != '\0',
     258                             free(pBuf));
     259        AssertReturnVoidStmt(   pEntry->oSerialNumber == 0
     260                             || pBuf[pEntry->oSerialNumber] != '\0',
     261                             free(pBuf));
     262        AssertReturnVoidStmt(cZeros == 0 || pBuf[iCurrent + iNext - 1] == '\0',
     263                             free(pBuf));
     264    }
    238265    *pLen = iCurrent + iNext + 2;
     266    Assert(cDevs == 0);
     267    Assert(*pLen <= cbBuf);
    239268    return pBuf;
    240269}
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette