pfCM_Get_Device_IDA() NULL pointer dereference in wdi_create_list()

[jynik]

I'm following these instructions to build a wdi-simple capable of installing a user-provided signed driver or the WinUSB driver.

wdi_create_list() appears to be crashing due to pfCM_Get_Device_IDA being NULL at libwdi.c:775.

I do not encounter this issue with changeset b3ba0e15237d6385f2971e40cf327a4efd40b484. Bisecting between there and master indicates that a61334522f42e58e8c0d0f4b142a6a0d963be044 introduces the change that results in this behavior.

Just a few observations from stepping through this with a debugger...

I see that pfCM_Get_Device_IDA appears to have a valid value after the wdi_prepare_driver's call to init_dlls() @ libwdi.c:1004.

However, I see that this is getting zeroed out by following the call to wdi_is_driver_supported() @ libwdi.c:1040. The memset call in wdi_is_driver_supported() @ libwdi.c:463 appears to be responsible for this.

Because I'm calling wdi-simple.exe with --type 3, I see that wdi_is_driver_supported() being called with &driver_version[3], which appears to be an out-of-bounds access, given that driver_version is defined as containing three elements. That would explain why that memset() call is clobbering the items that follow the driver_version, including the pfCM_Get_Device_IDA() function pointer.

Hopefully this is some sufficient amount of information. Apologies for not proposing a remediation; I'm a bit short on time for the next few days. However, I'll do my best to reply to requests for additional info, if needed.

This was all from a VS2013 64-bit build, with libusb-win32 and libusbK disabled, and a user-defined driver enabled in config.h.

[pbatard]

Thanks for the detailed report. I think I now have a fix for this, which will be in the next release.