From 43d246c5c24291bd578eb46cfbc388dc74204db3 Mon Sep 17 00:00:00 2001
From: Jacob Abrams <satur9nine@gmail.com>
Date: Fri, 21 Feb 2020 10:16:16 -0800
Subject: [PATCH] Prevent infinite loop on zero length USB descriptors

If a USB device descriptor has zero length it is invalid and iteration
should stop otherwise the code iterating will go into an infinite loop.

Bug: 149986186
Test: attach bad USB device with invalid descriptor length 0 then attach
a good USB device and ensure it is recognized properly

Change-Id: I7571a6357bdc13af221cf8be01eba16f5bc976a3
---
 libusbhost/usbhost.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libusbhost/usbhost.c b/libusbhost/usbhost.c
index 415488fc0..3bed0e367 100644
--- a/libusbhost/usbhost.c
+++ b/libusbhost/usbhost.c
@@ -597,6 +597,11 @@ struct usb_descriptor_header *usb_descriptor_iter_next(struct usb_descriptor_ite
     if (iter->curr_desc >= iter->config_end)
         return NULL;
     next = (struct usb_descriptor_header*)iter->curr_desc;
+    // Corrupt descriptor with zero length, cannot continue iterating
+    if (next->bLength == 0) {
+       D("usb_descriptor_iter_next got zero length USB descriptor, ending iteration\n");
+       return NULL;
+    }
     iter->curr_desc += next->bLength;
     return next;
 }