diff options
| author | Alex Warg <alexander.warg@os.inf.tu-dresden.de> | 2010-06-30 10:33:46 +1000 |
|---|---|---|
| committer | Peter Hutterer <peter.hutterer@who-t.net> | 2010-07-01 08:16:07 +1000 |
| commit | 421585fda6ce67c209d43952109dda056ee40941 (patch) | |
| tree | ea76fff6d2536c349d8a25b6b0f0451f90c07b32 | |
| parent | man: some minor fixes to man page. (diff) | |
| download | xf86-input-evdev-421585fda6ce67c209d43952109dda056ee40941.tar.gz xf86-input-evdev-421585fda6ce67c209d43952109dda056ee40941.tar.bz2 xf86-input-evdev-421585fda6ce67c209d43952109dda056ee40941.zip | |
Fix out-of-bounds access if more than MAX_VALUATORS are present. (#28809)
The functions EvdevAddRelClass and EvdevAddAbsClass do out of bounds
accesses to vals and old_vals arrays in the EvdevRec structure if there are
more than MAX_VALUATORS axes reported by the kernel.
X.Org Bug 28809 <http://bugs.freedesktop.org/show_bug.cgi?id=28809>
Signed-off-by: Alex Warg <alexander.warg@os.inf.tu-dresden.de>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
| -rw-r--r-- | src/evdev.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/src/evdev.c b/src/evdev.c index bd92d91..cd0fb6c 100644 --- a/src/evdev.c +++ b/src/evdev.c @@ -1149,12 +1149,18 @@ EvdevAddAbsClass(DeviceIntPtr device) num_axes = CountBits(pEvdev->abs_bitmask, NLONGS(ABS_MAX)); if (num_axes < 1) return !Success; + + if (num_axes > MAX_VALUATORS) { + xf86Msg(X_WARNING, "%s: found %d axes, limiting to %d.\n", device->name, num_axes, MAX_VALUATORS); + num_axes = MAX_VALUATORS; + } + pEvdev->num_vals = num_axes; memset(pEvdev->vals, 0, num_axes * sizeof(int)); memset(pEvdev->old_vals, -1, num_axes * sizeof(int)); atoms = malloc(pEvdev->num_vals * sizeof(Atom)); - for (axis = ABS_X; axis <= ABS_MAX; axis++) { + for (axis = ABS_X; i < MAX_VALUATORS && axis <= ABS_MAX; axis++) { pEvdev->axis_map[axis] = -1; if (!TestBit(axis, pEvdev->abs_bitmask)) continue; @@ -1270,11 +1276,16 @@ EvdevAddRelClass(DeviceIntPtr device) if (num_axes <= 0) return !Success; + if (num_axes > MAX_VALUATORS) { + xf86Msg(X_WARNING, "%s: found %d axes, limiting to %d.\n", device->name, num_axes, MAX_VALUATORS); + num_axes = MAX_VALUATORS; + } + pEvdev->num_vals = num_axes; memset(pEvdev->vals, 0, num_axes * sizeof(int)); atoms = malloc(pEvdev->num_vals * sizeof(Atom)); - for (axis = REL_X; axis <= REL_MAX; axis++) + for (axis = REL_X; i < MAX_VALUATORS && axis <= REL_MAX; axis++) { pEvdev->axis_map[axis] = -1; /* We don't post wheel events, so ignore them here too */ |