descriptor: Guard against corrupted descriptor length field

A messed-up descriptor could potentially cause an infinite loop.

Also applied to an instance in the Linux backend.

Closes #1308

[Tormod: Rephrase error messages]
Signed-off-by: Tormod Volden <debian.tormod@gmail.com>

libusb/descriptor.c

@@ -1220,6 +1220,11 @@ static int parse_iad_array(struct libusb_context *ctx,
 	iad_array->length = 0;
 	while (consumed < size) {
 		parse_descriptor(buf, "bb", &header);
+		if (header.bLength < 2) {
+			usbi_err(ctx, "invalid descriptor bLength %d",
+				 header.bLength);
+			return LIBUSB_ERROR_IO;
+		}
 		if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION)
 			iad_array->length++;
 		buf += header.bLength;

libusb/os/linux_usbfs.c

@@ -652,7 +652,7 @@ static int seek_to_next_config(struct libusb_context *ctx,
 
 	while (len > 0) {
 		if (len < 2) {
-			usbi_err(ctx, "short descriptor read %zu/2", len);
+			usbi_err(ctx, "remaining descriptor length too small %zu/2", len);
 			return LIBUSB_ERROR_IO;
 		}
 
@@ -660,6 +660,11 @@ static int seek_to_next_config(struct libusb_context *ctx,
 		if (header->bDescriptorType == LIBUSB_DT_CONFIG)
 			return offset;
 
+		if (header->bLength < 2) {
+			usbi_err(ctx, "invalid descriptor bLength %hhu", header->bLength);
+			return LIBUSB_ERROR_IO;
+		}
+
 		if (len < header->bLength) {
 			usbi_err(ctx, "bLength overflow by %zu bytes",
 				 (size_t)header->bLength - len);

libusb/version_nano.h

@@ -1 +1 @@
-#define LIBUSB_NANO 11811
+#define LIBUSB_NANO 11812