Input: gtco - fix potential out-of-bound access (649de266) · Commits · e / devices / android_kernel_xiaomi_markw

parse_hid_report_descriptor() has a while (i < length) loop, which only guarantees that there's at least 1 byte in the buffer, but the loop body can read multiple bytes which causes out-of-bounds access. Reported-by:

Andrey Konovalov <andreyknvl@google.com> Reviewed-by:

Andrey Konovalov <andreyknvl@google.com> Cc: stable@vger.kernel.org Signed-off-by:

Dmitry Torokhov <dmitry.torokhov@gmail.com> Change-Id: I7b57556c100d28d8f10c03ea5480224e770fb64a Git-commit: a50829479f58416a013a4ccca791336af3c584c7 Git-repo: https://android.googlesource.com/kernel/common Signed-off-by:

Srinivasa Rao Kuppala <srkupp@codeaurora.org>

drivers/input/tablet/gtco.c

+10 −7

Original line number	Diff line number	Diff line
		@@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(struct gtco device, char report,

		/* Walk this report and pull out the info we need */
		while (i < length) {
		prefix = report[i];

		/* Skip over prefix */
		i++;
		prefix = report[i++];

		/* Determine data size and save the data in the proper variable */
		size = PREF_SIZE(prefix);
		size = (1U << PREF_SIZE(prefix)) >> 1;
		if (i + size > length) {
		dev_err(ddev,
		"Not enough data (need %d, have %d)\n",
		i + size, length);
		break;
		}

		switch (size) {
		case 1:
		data = report[i];
		@@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(struct gtco device, char report,
		case 2:
		data16 = get_unaligned_le16(&report[i]);
		break;
		case 3:
		size = 4;
		case 4:
		data32 = get_unaligned_le32(&report[i]);
		break;
		}