Per USB HID spec, the buffer holding key codes should be 8-byte long. Today's code assumes that the key codes buffer length is 8-byte long and unconditionally accesses the key codes buffer. It's incorrect. The patch fixes the issue by returning Device Error when the length is less than 8-byte.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu...@intel.com> Cc: Star Zeng <star.z...@intel.com> Cc: Jiewen Yao <jiewen....@intel.com> Cc: Steven Shi <steven....@intel.com> --- MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c index 9cb4b5db6b..7505951c82 100644 --- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c +++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c @@ -1059,6 +1059,10 @@ KeyboardHandler ( // Byte 1 is reserved. // Bytes 2 to 7 are keycodes. // + if (DataLength < 8) { + return EFI_DEVICE_ERROR; + } + CurKeyCodeBuffer = (UINT8 *) Data; OldKeyCodeBuffer = UsbKeyboardDevice->LastKeyCodeArray; -- 2.16.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel