Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object
From: Joonyoung Shim <hidden>
Date: 2012-03-14 01:33:04
Also in:
lkml
On 03/13/2012 09:04 PM, Daniel Kurtz wrote:
quoted hunk ↗ jump to hunk
Don't allow writing past the length of an object. Signed-off-by: Daniel Kurtz<redacted> --- drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c index 0d4d492..e18c698 100644 --- a/drivers/input/touchscreen/atmel_mxt_ts.c +++ b/drivers/input/touchscreen/atmel_mxt_ts.c@@ -506,7 +506,7 @@ static int mxt_write_object(struct mxt_data *data, u16 reg; object = mxt_get_object(data, type); - if (!object) + if (!object || offset>= object->size)
The object->size is actual object size - 1. + if (!object || offset> object->size)
return -EINVAL; reg = object->start_address;