From 421585fda6ce67c209d43952109dda056ee40941 Mon Sep 17 00:00:00 2001 From: Alex Warg Date: Wed, 30 Jun 2010 10:33:46 +1000 Subject: Fix out-of-bounds access if more than MAX_VALUATORS are present. (#28809) The functions EvdevAddRelClass and EvdevAddAbsClass do out of bounds accesses to vals and old_vals arrays in the EvdevRec structure if there are more than MAX_VALUATORS axes reported by the kernel. X.Org Bug 28809 Signed-off-by: Alex Warg Signed-off-by: Peter Hutterer --- src/evdev.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/evdev.c b/src/evdev.c index bd92d91..cd0fb6c 100644 --- a/src/evdev.c +++ b/src/evdev.c @@ -1149,12 +1149,18 @@ EvdevAddAbsClass(DeviceIntPtr device) num_axes = CountBits(pEvdev->abs_bitmask, NLONGS(ABS_MAX)); if (num_axes < 1) return !Success; + + if (num_axes > MAX_VALUATORS) { + xf86Msg(X_WARNING, "%s: found %d axes, limiting to %d.\n", device->name, num_axes, MAX_VALUATORS); + num_axes = MAX_VALUATORS; + } + pEvdev->num_vals = num_axes; memset(pEvdev->vals, 0, num_axes * sizeof(int)); memset(pEvdev->old_vals, -1, num_axes * sizeof(int)); atoms = malloc(pEvdev->num_vals * sizeof(Atom)); - for (axis = ABS_X; axis <= ABS_MAX; axis++) { + for (axis = ABS_X; i < MAX_VALUATORS && axis <= ABS_MAX; axis++) { pEvdev->axis_map[axis] = -1; if (!TestBit(axis, pEvdev->abs_bitmask)) continue; @@ -1270,11 +1276,16 @@ EvdevAddRelClass(DeviceIntPtr device) if (num_axes <= 0) return !Success; + if (num_axes > MAX_VALUATORS) { + xf86Msg(X_WARNING, "%s: found %d axes, limiting to %d.\n", device->name, num_axes, MAX_VALUATORS); + num_axes = MAX_VALUATORS; + } + pEvdev->num_vals = num_axes; memset(pEvdev->vals, 0, num_axes * sizeof(int)); atoms = malloc(pEvdev->num_vals * sizeof(Atom)); - for (axis = REL_X; axis <= REL_MAX; axis++) + for (axis = REL_X; i < MAX_VALUATORS && axis <= REL_MAX; axis++) { pEvdev->axis_map[axis] = -1; /* We don't post wheel events, so ignore them here too */ -- cgit v1.2.3