Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size inmxt_write_object
From: Joonyoung Shim
Date: Tue Mar 13 2012 - 21:33:02 EST
On 03/13/2012 09:04 PM, Daniel Kurtz wrote:
Don't allow writing past the length of an object.
Signed-off-by: Daniel Kurtz<djkurtz@xxxxxxxxxxxx>
---
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
index 0d4d492..e18c698 100644
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -506,7 +506,7 @@ static int mxt_write_object(struct mxt_data *data,
u16 reg;
object = mxt_get_object(data, type);
- if (!object)
+ if (!object || offset>= object->size)
The object->size is actual object size - 1.
+ if (!object || offset> object->size)
return -EINVAL;
reg = object->start_address;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/