From f61b10dcf127645c2ce6cab12d2c71d28d1192d6 Mon Sep 17 00:00:00 2001 From: Sam Lantinga <slouken@libsdl.org> Date: Mon, 8 Nov 2021 06:34:32 -0800 Subject: [PATCH] Do more robust validation of devices passed to the SDL HIDAPI functions --- src/hidapi/SDL_hidapi.c | 79 +++++++++++++++++++++-------------------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/src/hidapi/SDL_hidapi.c b/src/hidapi/SDL_hidapi.c index 80a0ee931..70a53f299 100644 --- a/src/hidapi/SDL_hidapi.c +++ b/src/hidapi/SDL_hidapi.c @@ -423,19 +423,22 @@ static const struct hidapi_backend LIBUSB_Backend = { typedef struct _HIDDeviceWrapper HIDDeviceWrapper; struct _HIDDeviceWrapper { - SDL_hid_device *device; /* must be first field */ + const void *magic; + SDL_hid_device *device; const struct hidapi_backend *backend; }; +static char device_magic; #if HAVE_PLATFORM_BACKEND || HAVE_DRIVER_BACKEND || defined(SDL_LIBUSB_DYNAMIC) static HIDDeviceWrapper * CreateHIDDeviceWrapper(SDL_hid_device *device, const struct hidapi_backend *backend) { - HIDDeviceWrapper *ret = (HIDDeviceWrapper *)SDL_malloc(sizeof(*ret)); - ret->device = device; - ret->backend = backend; - return ret; + HIDDeviceWrapper *wrapper = (HIDDeviceWrapper *)SDL_malloc(sizeof(*wrapper)); + wrapper->magic = &device_magic; + wrapper->device = device; + wrapper->backend = backend; + return wrapper; } static SDL_hid_device * @@ -455,9 +458,17 @@ UnwrapHIDDevice(SDL_hid_device *device) static void DeleteHIDDeviceWrapper(HIDDeviceWrapper *device) { + device->magic = NULL; SDL_free(device); } +#define CHECK_DEVICE_MAGIC(device, retval) \ + SDL_assert(device && device->magic == &device_magic); \ + if (!device || device->magic != &device_magic) { \ + SDL_SetError("Invalid device"); \ + return retval; \ + } + #ifndef SDL_DISABLE_HIDAPI #define COPY_IF_EXISTS(var) \ @@ -848,9 +859,8 @@ int SDL_hid_write(SDL_hid_device *device, const unsigned char *data, size_t leng HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_write(wrapper->device, data, length); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -863,9 +873,8 @@ int SDL_hid_read_timeout(SDL_hid_device *device, unsigned char *data, size_t len HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_read_timeout(wrapper->device, data, length, milliseconds); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -878,9 +887,8 @@ int SDL_hid_read(SDL_hid_device *device, unsigned char *data, size_t length) HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_read(wrapper->device, data, length); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -893,9 +901,8 @@ int SDL_hid_set_nonblocking(SDL_hid_device *device, int nonblock) HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_set_nonblocking(wrapper->device, nonblock); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -908,9 +915,8 @@ int SDL_hid_send_feature_report(SDL_hid_device *device, const unsigned char *dat HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_send_feature_report(wrapper->device, data, length); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -923,9 +929,8 @@ int SDL_hid_get_feature_report(SDL_hid_device *device, unsigned char *data, size HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_get_feature_report(wrapper->device, data, length); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -937,10 +942,10 @@ void SDL_hid_close(SDL_hid_device *device) { HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); - if (wrapper) { - wrapper->backend->hid_close(wrapper->device); - DeleteHIDDeviceWrapper(wrapper); - } + CHECK_DEVICE_MAGIC(wrapper,); + + wrapper->backend->hid_close(wrapper->device); + DeleteHIDDeviceWrapper(wrapper); } int SDL_hid_get_manufacturer_string(SDL_hid_device *device, wchar_t *string, size_t maxlen) @@ -948,9 +953,8 @@ int SDL_hid_get_manufacturer_string(SDL_hid_device *device, wchar_t *string, siz HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_get_manufacturer_string(wrapper->device, string, maxlen); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -963,9 +967,8 @@ int SDL_hid_get_product_string(SDL_hid_device *device, wchar_t *string, size_t m HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_get_product_string(wrapper->device, string, maxlen); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -978,9 +981,8 @@ int SDL_hid_get_serial_number_string(SDL_hid_device *device, wchar_t *string, si HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_get_serial_number_string(wrapper->device, string, maxlen); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device)); @@ -993,9 +995,8 @@ int SDL_hid_get_indexed_string(SDL_hid_device *device, int string_index, wchar_t HIDDeviceWrapper *wrapper = UnwrapHIDDevice(device); int result; - if (!wrapper) { - return -1; - } + CHECK_DEVICE_MAGIC(wrapper, -1); + result = wrapper->backend->hid_get_indexed_string(wrapper->device, string_index, string, maxlen); if (result < 0) { SDL_SetHIDAPIError(wrapper->backend->hid_error(wrapper->device));