Guard against zero length buffers in hid_write (#279)

Author: JnyJny

libusb/hid.c

@@ -1043,9 +1043,15 @@ hid_device * HID_API_EXPORT hid_open_path(const char *path)
 int HID_API_EXPORT hid_write(hid_device *dev, const unsigned char *data, size_t length)
 {
 	int res;
-	int report_number = data[0];
+	int report_number;
 	int skipped_report_id = 0;
 
+	if (!data || (length ==0)) {
+		return -1;
+	}
+
+	report_number = data[0];
+
 	if (report_number == 0x0) {
 		data++;
 		length--;

linux/hid.c

@@ -963,6 +963,12 @@ int HID_API_EXPORT hid_write(hid_device *dev, const unsigned char *data, size_t
 {
 	int bytes_written;
 
+	if (!data || (length == 0)) {
+		errno = EINVAL;
+		register_device_error(dev, strerror(errno));
+		return -1;
+	}
+
 	bytes_written = write(dev->device_handle, data, length);
 
 	register_device_error(dev, (bytes_written == -1)? strerror(errno): NULL);

mac/hid.c

@@ -898,7 +898,13 @@ static int set_report(hid_device *dev, IOHIDReportType type, const unsigned char
 	const unsigned char *data_to_send = data;
 	CFIndex length_to_send = length;
 	IOReturn res;
-	const unsigned char report_id = data[0];
+	unsigned char report_id;
+
+	if (!data || (length == 0)) {
+		return -1;
+	}
+
+	report_id = data[0];
 
 	if (report_id == 0x0) {
 		/* Not using numbered Reports.

windows/hid.c

@@ -659,6 +659,11 @@ int HID_API_EXPORT HID_API_CALL hid_write(hid_device *dev, const unsigned char *
 
 	unsigned char *buf;
 
+	if (!data || (length==0)) {
+		register_error(dev, "Zero length buffer");
+		return function_result;
+	}
+
 	/* Make sure the right number of bytes are passed to WriteFile. Windows
 	   expects the number of bytes which are in the _longest_ report (plus
 	   one for the report number) bytes even if the data is a report