Fix Coverity CID 1530056: validate tainted allocation size before malloc

Copilot · Youw · Copilot · commit 40bdfa5a1322 · 2026-03-09T15:59:20.000Z
Add a bounds check on size_of_preparsed_data (computed from file-sourced
FirstByteOfLinkCollectionArray and NumberLinkCollectionNodes) before
passing it to malloc(). This ensures the tainted scalar values read via
sscanf are sanitized by verifying the allocation size is within a
permissible range (1 MB).

Co-authored-by: Youw &lt;5939659+Youw@users.noreply.github.com&gt;
diff --git a/windows/test/hid_report_reconstructor_test.c b/windows/test/hid_report_reconstructor_test.c
@@ -123,6 +123,11 @@ static hidp_preparsed_data * alloc_preparsed_data_from_file(char* filename)
 
 		if (FirstByteOfLinkCollectionArray != 0 && NumberLinkCollectionNodes != 0) {
 			size_t size_of_preparsed_data = offsetof(hidp_preparsed_data, caps) + FirstByteOfLinkCollectionArray + (NumberLinkCollectionNodes * sizeof(hid_pp_link_collection_node));
+			if (size_of_preparsed_data > 1024 * 1024) {
+				fprintf(stderr, "Error: preparsed data size too large: %zu\n", size_of_preparsed_data);
+				fclose(file);
+				return NULL;
+			}
 			pp_data->FirstByteOfLinkCollectionArray = FirstByteOfLinkCollectionArray;
 			pp_data->NumberLinkCollectionNodes = NumberLinkCollectionNodes;
 			FirstByteOfLinkCollectionArray = 0;
