Input: psmouse - fix OOB access in Elantech protocol (d5ca4799) · Commits · e / devices / android_kernel_fairphone_FP5

drivers/input/mouse/elantech.c

+5 −4

Original line number	Original line	Diff line number	Diff line
	@@ -674,10 +674,11 @@ static void process_packet_head_v4(struct psmouse *psmouse)
	struct input_dev *dev = psmouse->dev;		struct input_dev *dev = psmouse->dev;
	struct elantech_data *etd = psmouse->private;		struct elantech_data *etd = psmouse->private;
	unsigned char *packet = psmouse->packet;		unsigned char *packet = psmouse->packet;
	int id = ((packet[3] & 0xe0) >> 5) - 1;		int id;
	int pres, traces;		int pres, traces;

	if (id < 0)		id = ((packet[3] & 0xe0) >> 5) - 1;
			if (id < 0 \|\| id >= ETP_MAX_FINGERS)
	return;		return;

	etd->mt[id].x = ((packet[1] & 0x0f) << 8) \| packet[2];		etd->mt[id].x = ((packet[1] & 0x0f) << 8) \| packet[2];
	@@ -707,7 +708,7 @@ static void process_packet_motion_v4(struct psmouse *psmouse)
	int id, sid;		int id, sid;

	id = ((packet[0] & 0xe0) >> 5) - 1;		id = ((packet[0] & 0xe0) >> 5) - 1;
	if (id < 0)		if (id < 0 \|\| id >= ETP_MAX_FINGERS)
	return;		return;

	sid = ((packet[3] & 0xe0) >> 5) - 1;		sid = ((packet[3] & 0xe0) >> 5) - 1;
	@@ -728,7 +729,7 @@ static void process_packet_motion_v4(struct psmouse *psmouse)
	input_report_abs(dev, ABS_MT_POSITION_X, etd->mt[id].x);		input_report_abs(dev, ABS_MT_POSITION_X, etd->mt[id].x);
	input_report_abs(dev, ABS_MT_POSITION_Y, etd->mt[id].y);		input_report_abs(dev, ABS_MT_POSITION_Y, etd->mt[id].y);

	if (sid >= 0) {		if (sid >= 0 && sid < ETP_MAX_FINGERS) {
	etd->mt[sid].x += delta_x2 * weight;		etd->mt[sid].x += delta_x2 * weight;
	etd->mt[sid].y -= delta_y2 * weight;		etd->mt[sid].y -= delta_y2 * weight;
	input_mt_slot(dev, sid);		input_mt_slot(dev, sid);