[PATCH 1/5] [enum] fix bad realloc trigger for the unref_list array

Pete Batard pete at akeo.ie
Mon Jan 30 17:22:12 EST 2012


First of the must have patched for libusbx 1.0.9.
Can crash on Windows without it.

Original [PATCH 11/11] from Michael.

Regards,

/Pete

-------- Original Message --------
Subject: [Libusb-devel] [PATCH 11/11] [enum] fix bad realloc trigger for 
the unref_list array
Date: Fri, 23 Dec 2011 18:47:48 -0600
From: Michael Plante <michael.plante at gmail.com>
To: libusb-devel <libusb-devel at lists.sourceforge.net>

>From b8ab5455c956f8b1595079a30aa4c0430f945d62 Mon Sep 17 00:00:00 2001
From: Dave Camarillo <dave.camarillo at gmail.com>
Date: Fri, 23 Sep 2011 11:56:58 +0100
Subject: [PATCH 11/11] [enum] fix bad realloc trigger for the unref_list 
array

* indexes were outgrowing the array before realloc,
   resulting in out of bound access and crash.
---
  libusb/os/windows_usb.c |    2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libusb/os/windows_usb.c b/libusb/os/windows_usb.c
index dcc7e7f..4d4c92c 100644
--- a/libusb/os/windows_usb.c
+++ b/libusb/os/windows_usb.c
@@ -1421,7 +1421,7 @@ static int windows_get_device_list(struct
libusb_context *ctx, struct discovered
  					windows_device_priv_init(dev);
  					// Keep track of devices that need unref
  					unref_list[unref_cur++] = dev;
-					if (unref_cur > unref_size) {
+					if (unref_cur >= unref_size) {
  						unref_size += 64;
  						unref_list = realloc(unref_list, unref_size*sizeof(libusb_device*));
  						if (unref_list == NULL) {
-- 
1.7.3.1.msysgit.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0011-enum-fix-bad-realloc-trigger-for-the-unref_list-arra.patch
Type: application/octet-stream
Size: 1032 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/libusbx/attachments/20120130/0eec2d39/attachment.obj>


More information about the libusbx mailing list