+10
−7
Loading
Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more
parse_hid_report_descriptor() has a while (i < length) loop, which only guarantees that there's at least 1 byte in the buffer, but the loop body can read multiple bytes which causes out-of-bounds access. Reported-by:Andrey Konovalov <andreyknvl@google.com> Reviewed-by:
Andrey Konovalov <andreyknvl@google.com> Cc: stable@vger.kernel.org Signed-off-by:
Dmitry Torokhov <dmitry.torokhov@gmail.com>