From f43c01fa82ce76273162bb940363809386ad1d80 Mon Sep 17 00:00:00 2001
From: =?utf8?q?R=C3=A9mi=20Bernon?= <rbernon@codeweavers.com>
Date: Mon, 7 Jun 2021 11:11:37 +0200
Subject: [PATCH] hidclass.sys: Don't crash when no buffer was provided.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Rémi Bernon <rbernon@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/hidclass.sys/device.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c
index 73ea6610ab8..82366ad1888 100644
--- a/dlls/hidclass.sys/device.c
+++ b/dlls/hidclass.sys/device.c
@@ -345,6 +345,12 @@ static NTSTATUS HID_get_feature(BASE_DEVICE_EXTENSION *ext, IRP *irp)
     out_buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority);
     TRACE_(hid_report)("Device %p Buffer length %i Buffer %p\n", ext, irpsp->Parameters.DeviceIoControl.OutputBufferLength, out_buffer);
 
+    if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !out_buffer)
+    {
+        irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL;
+        return rc;
+    }
+
     len = sizeof(*packet) + irpsp->Parameters.DeviceIoControl.OutputBufferLength;
     packet = malloc(len);
     packet->reportBufferLen = irpsp->Parameters.DeviceIoControl.OutputBufferLength;
@@ -495,6 +501,12 @@ NTSTATUS WINAPI pdo_ioctl(DEVICE_OBJECT *device, IRP *irp)
             BYTE *buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority);
             ULONG out_length;
 
+            if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !buffer)
+            {
+                irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL;
+                break;
+            }
+
             packet = malloc(packet_size);
 
             if (ext->u.pdo.preparsed_data->reports[0].reportID)
-- 
2.11.4.GIT