[PATCH libinput 1/8] evdev: Don't write out of bounds when mt slot is too large
Jonas Ådahl
jadahl at gmail.com
Tue Mar 25 13:45:52 PDT 2014
Signed-off-by: Jonas Ådahl <jadahl at gmail.com>
---
src/evdev.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/evdev.c b/src/evdev.c
index 72e4086..ff8b27a 100644
--- a/src/evdev.c
+++ b/src/evdev.c
@@ -132,6 +132,9 @@ evdev_flush_pending_event(struct evdev_device *device, uint32_t time)
if (!(device->seat_caps & EVDEV_DEVICE_TOUCH))
break;
+ if (slot >= MAX_SLOTS)
+ break;
+
seat_slot = ffs(~seat->slot_map) - 1;
device->mt.slots[slot].seat_slot = seat_slot;
@@ -148,6 +151,9 @@ evdev_flush_pending_event(struct evdev_device *device, uint32_t time)
if (!(device->seat_caps & EVDEV_DEVICE_TOUCH))
break;
+ if (slot >= MAX_SLOTS)
+ break;
+
seat_slot = device->mt.slots[slot].seat_slot;
x = li_fixed_from_int(device->mt.slots[slot].x);
y = li_fixed_from_int(device->mt.slots[slot].y);
@@ -161,6 +167,9 @@ evdev_flush_pending_event(struct evdev_device *device, uint32_t time)
if (!(device->seat_caps & EVDEV_DEVICE_TOUCH))
break;
+ if (slot >= MAX_SLOTS)
+ break;
+
seat_slot = device->mt.slots[slot].seat_slot;
if (seat_slot == -1)
@@ -300,11 +309,15 @@ evdev_process_touch(struct evdev_device *device,
device->pending_event = EVDEV_ABSOLUTE_MT_UP;
break;
case ABS_MT_POSITION_X:
+ if (device->mt.slot >= MAX_SLOTS)
+ break;
device->mt.slots[device->mt.slot].x = e->value;
if (device->pending_event == EVDEV_NONE)
device->pending_event = EVDEV_ABSOLUTE_MT_MOTION;
break;
case ABS_MT_POSITION_Y:
+ if (device->mt.slot >= MAX_SLOTS)
+ break;
device->mt.slots[device->mt.slot].y = e->value;
if (device->pending_event == EVDEV_NONE)
device->pending_event = EVDEV_ABSOLUTE_MT_MOTION;
--
1.8.3.2
More information about the wayland-devel
mailing list