File wireshark-0017-CVE-2026-3201.patch of Package wireshark.43028

commit 5e80615ebc95c3f57235ab2699b03e45d8071a1c
Author: Michael Mann <mmann78@netscape.net>
Date:   Mon Jan 26 16:44:58 2026 +0000

    USB-HID: Bugfix resource exhaustion in parse_report_descriptor()
    
    Sanity range check was removed in 739666a7f5acc270204980e01b4069caf5060f30, restore it
    
    AI-Assisted: no
    Fixes #20972
    
    
    (cherry picked from commit 6f753c79b7c8ac382e6383dfabd7d5be6e2b722c)
    
    Co-authored-by: Michael Mann <mmann78@netscape.net>

diff --git a/epan/dissectors/packet-usb-hid.c b/epan/dissectors/packet-usb-hid.c
index 0b83b7724e..585ca8edc7 100644
--- a/epan/dissectors/packet-usb-hid.c
+++ b/epan/dissectors/packet-usb-hid.c
@@ -3729,6 +3729,7 @@ hid_unpack_signed(guint8 *data, unsigned int idx, unsigned int size, gint32 *value)
     return FALSE;
 }
 
+#define MAX_REPORT_DESCRIPTOR_COUNT 100000 // Arbitrary
 static gboolean
 parse_report_descriptor(report_descriptor_t *rdesc)
 {
@@ -3910,7 +3911,7 @@ parse_report_descriptor(report_descriptor_t *rdesc)
                         }
 
                         /* Usage min and max must be on the same page */
-                        if (USAGE_PAGE(usage_min) != USAGE_PAGE(usage_max)) {
+                        if (USAGE_PAGE(usage_min) != USAGE_PAGE(usage_max))  {
                             goto err;
                         }
 
@@ -3918,6 +3919,10 @@ parse_report_descriptor(report_descriptor_t *rdesc)
                             goto err;
                         }
 
+                        if (wmem_array_get_count(field.usages) + usage_max - usage_min >= MAX_REPORT_DESCRIPTOR_COUNT) {
+                            goto err;
+                        }
+
                         /* min and max are inclusive */
                         wmem_array_grow(field.usages, usage_max - usage_min + 1);
                         for (guint32 j = usage_min; j <= usage_max; j++) {