From e17f41b6388f522268ecacd4c096171d9f32c9df Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Fri, 9 Sep 2022 11:58:09 +0100
Subject: [PATCH] rts54hid: Fix possible unsafe memcpy()

PVS: A call of the 'memcpy' function will lead to underflow of the buffer.
---
 plugins/rts54hid/fu-rts54hid-device.c | 65 +++++++++++++++++++++++----
 plugins/rts54hid/fu-rts54hid-module.c | 22 +++++++--
 2 files changed, 75 insertions(+), 12 deletions(-)

diff --git a/plugins/rts54hid/fu-rts54hid-device.c b/plugins/rts54hid/fu-rts54hid-device.c
index eb14e0bb7..2a3b9796e 100644
--- a/plugins/rts54hid/fu-rts54hid-device.c
+++ b/plugins/rts54hid/fu-rts54hid-device.c
@@ -8,8 +8,6 @@
 
 #include <fwupdplugin.h>
 
-#include <string.h>
-
 #include "fu-rts54hid-common.h"
 #include "fu-rts54hid-device.h"
 
@@ -43,7 +41,16 @@ fu_rts54hid_device_set_clock_mode(FuRts54HidDevice *self, gboolean enable, GErro
 	    .parameters = 0,
 	};
 	guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0};
-	memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
+
+	if (!fu_memcpy_safe(buf,
+			    sizeof(buf),
+			    0x0, /* dst */
+			    (const guint8 *)&cmd_buffer,
+			    sizeof(cmd_buffer),
+			    0x0, /* src */
+			    sizeof(cmd_buffer),
+			    error))
+		return FALSE;
 	if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
 				      0x0,
 				      buf,
@@ -68,7 +75,16 @@ fu_rts54hid_device_reset_to_flash(FuRts54HidDevice *self, GError **error)
 	    .parameters = 0,
 	};
 	guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0};
-	memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
+
+	if (!fu_memcpy_safe(buf,
+			    sizeof(buf),
+			    0x0, /* dst */
+			    (const guint8 *)&cmd_buffer,
+			    sizeof(cmd_buffer),
+			    0x0, /* src */
+			    sizeof(cmd_buffer),
+			    error))
+		return FALSE;
 	if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
 				      0x0,
 				      buf,
@@ -102,7 +118,15 @@ fu_rts54hid_device_write_flash(FuRts54HidDevice *self,
 	g_return_val_if_fail(data != NULL, FALSE);
 	g_return_val_if_fail(data_sz != 0, FALSE);
 
-	memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
+	if (!fu_memcpy_safe(buf,
+			    sizeof(buf),
+			    0x0, /* dst */
+			    (const guint8 *)&cmd_buffer,
+			    sizeof(cmd_buffer),
+			    0x0, /* src */
+			    sizeof(cmd_buffer),
+			    error))
+		return FALSE;
 	if (!fu_memcpy_safe(buf,
 			    sizeof(buf),
 			    FU_RTS54HID_CMD_BUFFER_OFFSET_DATA, /* dst */
@@ -141,7 +165,15 @@ fu_rts54hid_device_verify_update_fw(FuRts54HidDevice *self, FuProgress *progress
 	guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0};
 
 	/* set then get */
-	memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
+	if (!fu_memcpy_safe(buf,
+			    sizeof(buf),
+			    0x0, /* dst */
+			    (const guint8 *)&cmd_buffer,
+			    sizeof(cmd_buffer),
+			    0x0, /* src */
+			    sizeof(cmd_buffer),
+			    error))
+		return FALSE;
 	if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
 				      0x0,
 				      buf,
@@ -184,7 +216,16 @@ fu_rts54hid_device_erase_spare_bank(FuRts54HidDevice *self, GError **error)
 	    .parameters = 0,
 	};
 	guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0};
-	memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
+
+	if (!fu_memcpy_safe(buf,
+			    sizeof(buf),
+			    0x0, /* dst */
+			    (const guint8 *)&cmd_buffer,
+			    sizeof(cmd_buffer),
+			    0x0, /* src */
+			    sizeof(cmd_buffer),
+			    error))
+		return FALSE;
 	if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
 				      0x0,
 				      buf,
@@ -215,7 +256,15 @@ fu_rts54hid_device_ensure_status(FuRts54HidDevice *self, GError **error)
 	g_autofree gchar *version = NULL;
 
 	/* set then get */
-	memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
+	if (!fu_memcpy_safe(buf,
+			    sizeof(buf),
+			    0x0, /* dst */
+			    (const guint8 *)&cmd_buffer,
+			    sizeof(cmd_buffer),
+			    0x0, /* src */
+			    sizeof(cmd_buffer),
+			    error))
+		return FALSE;
 	if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
 				      0x0,
 				      buf,
diff --git a/plugins/rts54hid/fu-rts54hid-module.c b/plugins/rts54hid/fu-rts54hid-module.c
index 2c4a5e6c7..439d85a46 100644
--- a/plugins/rts54hid/fu-rts54hid-module.c
+++ b/plugins/rts54hid/fu-rts54hid-module.c
@@ -8,8 +8,6 @@
 
 #include <fwupdplugin.h>
 
-#include <string.h>
-
 #include "fu-rts54hid-common.h"
 #include "fu-rts54hid-device.h"
 #include "fu-rts54hid-module.h"
@@ -70,7 +68,15 @@ fu_rts54hid_module_i2c_write(FuRts54HidModule *self,
 	if (parent == NULL)
 		return FALSE;
 
-	memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
+	if (!fu_memcpy_safe(buf,
+			    sizeof(buf),
+			    0x0, /* dst */
+			    (const guint8 *)&cmd_buffer,
+			    sizeof(cmd_buffer),
+			    0x0, /* src */
+			    sizeof(cmd_buffer),
+			    error))
+		return FALSE;
 	if (!fu_memcpy_safe(buf,
 			    sizeof(buf),
 			    FU_RTS54HID_CMD_BUFFER_OFFSET_DATA, /* dst */
@@ -122,7 +128,15 @@ fu_rts54hid_module_i2c_read(FuRts54HidModule *self,
 		return FALSE;
 
 	/* read from module */
-	memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
+	if (!fu_memcpy_safe(buf,
+			    sizeof(buf),
+			    0x0, /* dst */
+			    (const guint8 *)&cmd_buffer,
+			    sizeof(cmd_buffer),
+			    0x0, /* src */
+			    sizeof(cmd_buffer),
+			    error))
+		return FALSE;
 	if (!fu_hid_device_set_report(FU_HID_DEVICE(parent),
 				      0x0,
 				      buf,