Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a5082947 authored by Dmitry Torokhov's avatar Dmitry Torokhov
Browse files

Input: gtco - fix potential out-of-bound access 



parse_hid_report_descriptor() has a while (i < length) loop, which
only guarantees that there's at least 1 byte in the buffer, but the
loop body can read multiple bytes which causes out-of-bounds access.

Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Reviewed-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
parent 57a95b41

drivers/input/tablet/gtco.c

+10 −7
Original line number Diff line number Diff line
@@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, 


	/* Walk  this report and pull out the info we need */

	while (i < length) {

		prefix = report[i];



		/* Skip over prefix */

		i++;

		prefix = report[i++];



		/* Determine data size and save the data in the proper variable */

		size = PREF_SIZE(prefix);

		size = (1U << PREF_SIZE(prefix)) >> 1;

		if (i + size > length) {

			dev_err(ddev,

				"Not enough data (need %d, have %d)\n",

				i + size, length);

			break;

		}



		switch (size) {

		case 1:

			data = report[i];
@@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, 
		case 2:

			data16 = get_unaligned_le16(&report[i]);

			break;

		case 3:

			size = 4;

		case 4:

			data32 = get_unaligned_le32(&report[i]);

			break;

		}