[PATCH libinput 1/8] evdev: Don't write out of bounds when mt slot is too large

Peter Hutterer peter.hutterer at who-t.net
Wed Mar 26 01:05:19 PDT 2014 

On Tue, Mar 25, 2014 at 09:45:52PM +0100, Jonas Ådahl wrote:
> Signed-off-by: Jonas Ådahl <jadahl at gmail.com>

patch looks good, but I do wonder if it'd be better to just dynamically
allocate slots based on the number of touches. A quick glance shows we don't
really need this a fixed length anyway, MAX_SLOTS is unnecessary.

Cheers,
   Peter

> ---
>  src/evdev.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/src/evdev.c b/src/evdev.c
> index 72e4086..ff8b27a 100644
> --- a/src/evdev.c
> +++ b/src/evdev.c
> @@ -132,6 +132,9 @@ evdev_flush_pending_event(struct evdev_device *device, uint32_t time)
>  		if (!(device->seat_caps & EVDEV_DEVICE_TOUCH))
>  			break;
>  
> +		if (slot >= MAX_SLOTS)
> +			break;
> +
>  		seat_slot = ffs(~seat->slot_map) - 1;
>  		device->mt.slots[slot].seat_slot = seat_slot;
>  
> @@ -148,6 +151,9 @@ evdev_flush_pending_event(struct evdev_device *device, uint32_t time)
>  		if (!(device->seat_caps & EVDEV_DEVICE_TOUCH))
>  			break;
>  
> +		if (slot >= MAX_SLOTS)
> +			break;
> +
>  		seat_slot = device->mt.slots[slot].seat_slot;
>  		x = li_fixed_from_int(device->mt.slots[slot].x);
>  		y = li_fixed_from_int(device->mt.slots[slot].y);
> @@ -161,6 +167,9 @@ evdev_flush_pending_event(struct evdev_device *device, uint32_t time)
>  		if (!(device->seat_caps & EVDEV_DEVICE_TOUCH))
>  			break;
>  
> +		if (slot >= MAX_SLOTS)
> +			break;
> +
>  		seat_slot = device->mt.slots[slot].seat_slot;
>  
>  		if (seat_slot == -1)
> @@ -300,11 +309,15 @@ evdev_process_touch(struct evdev_device *device,
>  			device->pending_event = EVDEV_ABSOLUTE_MT_UP;
>  		break;
>  	case ABS_MT_POSITION_X:
> +		if (device->mt.slot >= MAX_SLOTS)
> +			break;
>  		device->mt.slots[device->mt.slot].x = e->value;
>  		if (device->pending_event == EVDEV_NONE)
>  			device->pending_event = EVDEV_ABSOLUTE_MT_MOTION;
>  		break;
>  	case ABS_MT_POSITION_Y:
> +		if (device->mt.slot >= MAX_SLOTS)
> +			break;
>  		device->mt.slots[device->mt.slot].y = e->value;
>  		if (device->pending_event == EVDEV_NONE)
>  			device->pending_event = EVDEV_ABSOLUTE_MT_MOTION;
> -- 
> 1.8.3.2
> 
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
>

More information about the wayland-devel mailing list