From ab921d32398be925fcaf8edd3796d363d5716597 Mon Sep 17 00:00:00 2001
From: Matt Reynolds <mattreynolds@google.com>
Date: Tue, 14 Mar 2023 11:25:00 +0000
Subject: [Backport] CVE-2023-1529: Out of bounds memory access in WebHID

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4320692:
hid: Handle empty input reports

It's possible for a HID device to define its report descriptor such that
one or more reports have no data fields within the report. When receiving these reports, the report buffer should contain only the
report ID byte and no other data.

Ensure that we do not read past the end of the buffer when handling
zero-length input reports.

(cherry picked from commit c9d77da78bc66c135520ac77873d67b89cdcaee6)

Bug: 1419718
Change-Id: I51d32c20f6b16f0d2b0172e0a165469b6b79748c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4296562
Commit-Queue: Matt Reynolds <mattreynolds@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1112009}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4320692
Commit-Queue: Reilly Grant <reillyg@chromium.org>
Auto-Submit: Matt Reynolds <mattreynolds@chromium.org>
Cr-Commit-Position: refs/branch-heads/5481@{#1341}
Cr-Branched-From: 130f3e4d850f4bc7387cfb8d08aa993d288a67a9-refs/heads/main@{#1084008}
(cherry picked from commit b041159d06adbf7487639bd33a261cc0270d7a34)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468611
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/services/device/hid/hid_connection_impl.cc | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/chromium/services/device/hid/hid_connection_impl.cc b/chromium/services/device/hid/hid_connection_impl.cc
index 131eee19f57..508114a7626 100644
--- a/chromium/services/device/hid/hid_connection_impl.cc
+++ b/chromium/services/device/hid/hid_connection_impl.cc
@@ -54,11 +54,12 @@ void HidConnectionImpl::OnInputReport(
     scoped_refptr<base::RefCountedBytes> buffer,
     size_t size) {
   DCHECK(client_);
-  uint8_t report_id = buffer->data()[0];
-  uint8_t* begin = &buffer->data()[1];
-  uint8_t* end = buffer->data().data() + size;
-  std::vector<uint8_t> data(begin, end);
-  client_->OnInputReport(report_id, data);
+  DCHECK_GE(size, 1u);
+  std::vector<uint8_t> data;
+  if (size > 1) {
+    data = std::vector<uint8_t>(buffer->front() + 1, buffer->front() + size);
+  }
+  client_->OnInputReport(/*report_id=*/buffer->data()[0], data);
 }
 
 void HidConnectionImpl::Read(ReadCallback callback) {
-- 
cgit v1.2.3