Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9c737434 authored by Dmitry Torokhov's avatar Dmitry Torokhov Committed by Greg Kroah-Hartman
Browse files

Input: gtco - fix potential out-of-bound access 



commit a50829479f58416a013a4ccca791336af3c584c7 upstream.

parse_hid_report_descriptor() has a while (i < length) loop, which
only guarantees that there's at least 1 byte in the buffer, but the
loop body can read multiple bytes which causes out-of-bounds access.

Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Reviewed-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b7be20b0

drivers/input/tablet/gtco.c

+10 −7
Original line number Diff line number Diff line
@@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, 


	/* Walk  this report and pull out the info we need */

	while (i < length) {

		prefix = report[i];



		/* Skip over prefix */

		i++;

		prefix = report[i++];



		/* Determine data size and save the data in the proper variable */

		size = PREF_SIZE(prefix);

		size = (1U << PREF_SIZE(prefix)) >> 1;

		if (i + size > length) {

			dev_err(ddev,

				"Not enough data (need %d, have %d)\n",

				i + size, length);

			break;

		}



		switch (size) {

		case 1:

			data = report[i];
@@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, 
		case 2:

			data16 = get_unaligned_le16(&report[i]);

			break;

		case 3:

			size = 4;

		case 4:

			data32 = get_unaligned_le32(&report[i]);

			break;

		}