From 99a4d2ce0890fbc924b7b6d88c6975a6772dadfd Mon Sep 17 00:00:00 2001
From: Vladimir Kondratyev <wulf@FreeBSD.org>
Date: Sat, 21 Jul 2018 14:20:17 +0000
Subject: [PATCH] Raise "Report Count" value limit in HID descriptor parser.

This fixes usage/report size calculation of Microsoft`s "Touch Hardware
Quality Assurance" certificate blob found in many touchscreens.

While here, join several "c->flags = dval" lines in to single line.

Reviewed by:	hselasky
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D16357
---
 sys/dev/usb/usb_hid.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/sys/dev/usb/usb_hid.c b/sys/dev/usb/usb_hid.c
index b68a364e689..9e9909178fa 100644
--- a/sys/dev/usb/usb_hid.c
+++ b/sys/dev/usb/usb_hid.c
@@ -74,6 +74,7 @@ static uint8_t hid_get_byte(struct hid_data *s, const uint16_t wSize);
 #define	MAXUSAGE 64
 #define	MAXPUSH 4
 #define	MAXID 16
+#define	MAXLOCCNT 1024
 
 struct hid_pos_data {
 	int32_t rid;
@@ -91,10 +92,10 @@ struct hid_data {
 	int32_t usage_last;	/* last seen usage */
 	uint32_t loc_size;	/* last seen size */
 	uint32_t loc_count;	/* last seen count */
+	uint32_t ncount;	/* end usage item count */
+	uint32_t icount;	/* current usage item count */
 	uint8_t	kindset;	/* we have 5 kinds so 8 bits are enough */
 	uint8_t	pushlevel;	/* current pushlevel */
-	uint8_t	ncount;		/* end usage item count */
-	uint8_t icount;		/* current usage item count */
 	uint8_t	nusage;		/* end "usages_min/max" index */
 	uint8_t	iusage;		/* current "usages_min/max" index */
 	uint8_t ousage;		/* current "usages_min/max" offset */
@@ -347,18 +348,19 @@ hid_get_item(struct hid_data *s, struct hid_item *h)
 			switch (bTag) {
 			case 8:	/* Input */
 				c->kind = hid_input;
-				c->flags = dval;
 		ret:
+				c->flags = dval;
 				c->loc.count = s->loc_count;
 				c->loc.size = s->loc_size;
 
 				if (c->flags & HIO_VARIABLE) {
 					/* range check usage count */
-					if (c->loc.count > 255) {
+					if (c->loc.count > MAXLOCCNT) {
 						DPRINTFN(0, "Number of "
-						    "items(%u) truncated to 255\n",
-						    (unsigned)(c->loc.count));
-						s->ncount = 255;
+						    "items(%u) truncated to %u\n",
+						    (unsigned)(c->loc.count),
+						    MAXLOCCNT);
+						s->ncount = MAXLOCCNT;
 					} else
 						s->ncount = c->loc.count;
 
@@ -374,7 +376,6 @@ hid_get_item(struct hid_data *s, struct hid_item *h)
 
 			case 9:	/* Output */
 				c->kind = hid_output;
-				c->flags = dval;
 				goto ret;
 			case 10:	/* Collection */
 				c->kind = hid_collection;
@@ -385,7 +386,6 @@ hid_get_item(struct hid_data *s, struct hid_item *h)
 				return (1);
 			case 11:	/* Feature */
 				c->kind = hid_feature;
-				c->flags = dval;
 				goto ret;
 			case 12:	/* End collection */
 				c->kind = hid_endcollection;