From 1e2b69bf3ab61979a05e796e76c8ecd1ec251c42 Mon Sep 17 00:00:00 2001
From: Dennis Cagle <d-cagle@codeaurora.org>
Date: Thu, 5 Jan 2017 17:22:13 -0800
Subject: [PATCH] input: misc: fix heap overflow issue in hbtp_input.c

Add the boundary check for ABS code before setting ABS params,
to avoid heap overflow.

Bug: 32341680
CRs-fixed: 1096301
Change-Id: I6aad9916c92d2f775632406374dbb803063148de
Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
---
 drivers/input/misc/hbtp_input.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/input/misc/hbtp_input.c b/drivers/input/misc/hbtp_input.c
index ef17d386644c9..7877e9b9f5162 100644
--- a/drivers/input/misc/hbtp_input.c
+++ b/drivers/input/misc/hbtp_input.c
@@ -129,9 +129,13 @@ static int hbtp_input_create_input_dev(struct hbtp_input_absinfo *absinfo)
 	input_mt_init_slots(input_dev, HBTP_MAX_FINGER, 0);
 	for (i = 0; i <= ABS_MT_LAST - ABS_MT_FIRST; i++) {
 		abs = absinfo + i;
-		if (abs->active)
-			input_set_abs_params(input_dev, abs->code,
+		if (abs->active) {
+			if (abs->code >= 0 && abs->code < ABS_CNT)
+				input_set_abs_params(input_dev, abs->code,
 					abs->minimum, abs->maximum, 0, 0);
+			else
+				pr_err("%s: ABS code out of bound\n", __func__);
+		}
 	}
 
 	error = input_register_device(input_dev);