[Libusbx-devel] [PATCH] Fix HID descriptor creation code in Windows backend

[Toby Gray]

Hi,

I've been investigating a STATUS_STACK_BUFFER_OVERRUN (0xc0000409) 
exception when running the latest libusbx in Windows XP. I believe it's 
due to a bug in how the fake USB descriptors for HID devices are 
created. The location of the second endpoint was being calculated 
incorrectly in _hid_get_config_descriptor.

I've attached a fix for it. The only thing I'm not entirely happy with 
about the fix is the use of ed2 as a variable name, feel free to suggest 
a better alternative.

This bug has clearly been present for a while, but for some reason we've 
only seen it in our latest round of testing. I also can't reproduce it 
with debug builds of libusbx, only release binaries.

Regards,

Toby
>From 2ad149d16c9d3c74134a42a81b13952a8895513f Mon Sep 17 00:00:00 2001
From: Toby Gray <toby.g...@realvnc.com>
Date: Fri, 22 Mar 2013 13:50:01 +0000
Subject: [PATCH] Windows: Fix USB descriptor creation code for HID devices.

Prior to this fix the location for the next endpoint structure was
obtained by using ed++. This doesn't work as
sizeof(libusb_endpoint_descriptor) is greater than
LIBUSB_DT_ENDPOINT_SIZE due to extra members.
---
 libusb/os/windows_usb.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/libusb/os/windows_usb.c b/libusb/os/windows_usb.c
index d8156b8..749638a 100644
--- a/libusb/os/windows_usb.c
+++ b/libusb/os/windows_usb.c
@@ -3178,6 +3178,7 @@ static int _hid_get_config_descriptor(struct hid_device_priv* dev, void *data, s
 	struct libusb_interface_descriptor *id;
 	struct libusb_hid_descriptor *hd;
 	struct libusb_endpoint_descriptor *ed;
+	struct libusb_endpoint_descriptor *ed2;
 	size_t tmp_size;
 
 	if (dev->input_report_size)
@@ -3196,6 +3197,10 @@ static int _hid_get_config_descriptor(struct hid_device_priv* dev, void *data, s
 	ed = (struct libusb_endpoint_descriptor *)(tmp + LIBUSB_DT_CONFIG_SIZE
 		+ LIBUSB_DT_INTERFACE_SIZE
 		+ LIBUSB_DT_HID_SIZE);
+	ed2 = (struct libusb_endpoint_descriptor *)(tmp + LIBUSB_DT_CONFIG_SIZE
+		+ LIBUSB_DT_INTERFACE_SIZE
+		+ LIBUSB_DT_HID_SIZE
+		+ LIBUSB_DT_ENDPOINT_SIZE);
 
 	cd->bLength = LIBUSB_DT_CONFIG_SIZE;
 	cd->bDescriptorType = LIBUSB_DT_CONFIG;
@@ -3227,7 +3232,7 @@ static int _hid_get_config_descriptor(struct hid_device_priv* dev, void *data, s
 		ed->wMaxPacketSize = dev->input_report_size - 1;
 		ed->bInterval = 10;
 
-		ed++;
+		ed = ed2;
 	}
 
 	if (dev->output_report_size) {
-- 
1.7.9

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________
libusbx-devel mailing list
libusbx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libusbx-devel