Add interface bounds checks in darwin and windows endpoint functions
A broken device with invalid interface numbering could cause
an out-of-bounds array access.
Fixes #1039
Closes #1093
diff --git a/libusb/os/darwin_usb.c b/libusb/os/darwin_usb.c
index af3c4e9..a22ab30 100644
--- a/libusb/os/darwin_usb.c
+++ b/libusb/os/darwin_usb.c
@@ -1430,6 +1430,10 @@
return rc;
}
+ if (iface >= config->bNumInterfaces) {
+ usbi_err (HANDLE_CTX (dev_handle), "interface %d out of range for device", iface);
+ return LIBUSB_ERROR_NOT_FOUND;
+ }
endpoint_desc = config->interface[iface].altsetting[alt_setting].endpoint + i - 1;
cInterface->endpoint_addrs[i - 1] = endpoint_desc->bEndpointAddress;
diff --git a/libusb/os/windows_winusb.c b/libusb/os/windows_winusb.c
index a03d6a5..9e6ccaa 100644
--- a/libusb/os/windows_winusb.c
+++ b/libusb/os/windows_winusb.c
@@ -523,6 +523,10 @@
return r;
}
+ if (iface >= conf_desc->bNumInterfaces) {
+ usbi_err(HANDLE_CTX(dev_handle), "interface %d out of range for device", iface);
+ return LIBUSB_ERROR_NOT_FOUND;
+ }
if_desc = &conf_desc->interface[iface].altsetting[altsetting];
safe_free(priv->usb_interface[iface].endpoint);
diff --git a/libusb/version_nano.h b/libusb/version_nano.h
index 3806cf8..6d64606 100644
--- a/libusb/version_nano.h
+++ b/libusb/version_nano.h
@@ -1 +1 @@
-#define LIBUSB_NANO 11708
+#define LIBUSB_NANO 11709
