Add interface bounds checks in darwin and windows endpoint functions

A broken device with invalid interface numbering could cause
an out-of-bounds array access.

Fixes #1039
Closes #1093

3 files changed, 9 insertions, 1 deletions

diff --git a/libusb/os/darwin_usb.c b/libusb/os/darwin_usb.c
index af3c4e9..a22ab30 100644
--- a/libusb/os/darwin_usb.c
+++ b/libusb/os/darwin_usb.c
@@ -1430,6 +1430,10 @@ static enum libusb_error get_endpoints (struct libusb_device_handle *dev_handle,
         return rc;
       }
 
+      if (iface >= config->bNumInterfaces) {
+        usbi_err (HANDLE_CTX (dev_handle), "interface %d out of range for device", iface);
+        return LIBUSB_ERROR_NOT_FOUND;
+      }
       endpoint_desc = config->interface[iface].altsetting[alt_setting].endpoint + i - 1;
 
       cInterface->endpoint_addrs[i - 1] = endpoint_desc->bEndpointAddress;
diff --git a/libusb/os/windows_winusb.c b/libusb/os/windows_winusb.c
index a03d6a5..9e6ccaa 100644
--- a/libusb/os/windows_winusb.c
+++ b/libusb/os/windows_winusb.c
@@ -523,6 +523,10 @@ static int windows_assign_endpoints(struct libusb_device_handle *dev_handle, uin
 		return r;
 	}
 
+	if (iface >= conf_desc->bNumInterfaces) {
+		usbi_err(HANDLE_CTX(dev_handle), "interface %d out of range for device", iface);
+		return LIBUSB_ERROR_NOT_FOUND;
+	}
 	if_desc = &conf_desc->interface[iface].altsetting[altsetting];
 	safe_free(priv->usb_interface[iface].endpoint);
 
diff --git a/libusb/version_nano.h b/libusb/version_nano.h
index 3806cf8..6d64606 100644
--- a/libusb/version_nano.h
+++ b/libusb/version_nano.h
@@ -1 +1 @@
-#define LIBUSB_NANO 11708
+#define LIBUSB_NANO 11709