mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
55 lines
1.7 KiB
Diff
55 lines
1.7 KiB
Diff
From a50829479f58416a013a4ccca791336af3c584c7 Mon Sep 17 00:00:00 2001
|
|
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Date: Mon, 23 Oct 2017 16:46:00 -0700
|
|
Subject: [PATCH] Input: gtco - fix potential out-of-bound access
|
|
|
|
parse_hid_report_descriptor() has a while (i < length) loop, which
|
|
only guarantees that there's at least 1 byte in the buffer, but the
|
|
loop body can read multiple bytes which causes out-of-bounds access.
|
|
|
|
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
|
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
---
|
|
drivers/input/tablet/gtco.c | 17 ++++++++++-------
|
|
1 file changed, 10 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
|
|
index b796e891e2eed..4b8b9d7aa75e2 100644
|
|
--- a/drivers/input/tablet/gtco.c
|
|
+++ b/drivers/input/tablet/gtco.c
|
|
@@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
|
|
|
|
/* Walk this report and pull out the info we need */
|
|
while (i < length) {
|
|
- prefix = report[i];
|
|
-
|
|
- /* Skip over prefix */
|
|
- i++;
|
|
+ prefix = report[i++];
|
|
|
|
/* Determine data size and save the data in the proper variable */
|
|
- size = PREF_SIZE(prefix);
|
|
+ size = (1U << PREF_SIZE(prefix)) >> 1;
|
|
+ if (i + size > length) {
|
|
+ dev_err(ddev,
|
|
+ "Not enough data (need %d, have %d)\n",
|
|
+ i + size, length);
|
|
+ break;
|
|
+ }
|
|
+
|
|
switch (size) {
|
|
case 1:
|
|
data = report[i];
|
|
@@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
|
|
case 2:
|
|
data16 = get_unaligned_le16(&report[i]);
|
|
break;
|
|
- case 3:
|
|
- size = 4;
|
|
+ case 4:
|
|
data32 = get_unaligned_le32(&report[i]);
|
|
break;
|
|
}
|