Avoid out-of-bounds access by running num_active_touches < 0 (#49439)

If a touch is active during driver init, the slot will be set to SLOTSTATE_CLOSE when it finishes. That could decrease num_active_touches to less than 0, causing out-of-bounds access. X.Org Bug 49439 <http://bugs.freedesktop.org/show_bug.cgi?id=49439> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Chase Douglas <chase.douglas@canonical.com> (cherry picked from commit 77d766b1d535dff9a27c7db343ede85d9f44850b)
author: Peter Hutterer <peter.hutterer@who-t.net> 2012-05-11 12:27:39 +1000
committer: Peter Hutterer <peter.hutterer@who-t.net> 2012-05-16 11:52:35 +1000
commit: 23065a974e5dcdf0d6a436a0547bb7887d306a6f (patch)
tree: 34ac098fe7ac405a1a213d9c396c136dd3d5827c
parent: e0f5688994baa85a8c658120681575cdd0ba2a58 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/synaptics.c b/src/synaptics.c
index 30d79c5..1d32093 100644
--- a/src/synaptics.c
+++ b/src/synaptics.c
@@ -3128,7 +3128,9 @@ UpdateTouchState(InputInfoPtr pInfo, struct SynapticsHwState *hw)
                     priv->open_slots[j] = priv->open_slots[j + 1];
             }
 
-            priv->num_active_touches--;
+            BUG_WARN(priv->num_active_touches == 0);
+            if (priv->num_active_touches > 0)
+                priv->num_active_touches--;
         }
     }
author	Peter Hutterer <peter.hutterer@who-t.net>	2012-05-11 12:27:39 +1000
committer	Peter Hutterer <peter.hutterer@who-t.net>	2012-05-16 11:52:35 +1000
commit	23065a974e5dcdf0d6a436a0547bb7887d306a6f (patch)
tree	34ac098fe7ac405a1a213d9c396c136dd3d5827c
parent	e0f5688994baa85a8c658120681575cdd0ba2a58 (diff)