diff options
author | Peter Hutterer <peter.hutterer@who-t.net> | 2013-04-26 10:09:10 +1000 |
---|---|---|
committer | Peter Hutterer <peter.hutterer@who-t.net> | 2013-04-26 10:18:48 +1000 |
commit | 8fcc413285d347ecb6a27e0761ef4ce6fd56ca0a (patch) | |
tree | a0b54e13c72a562856c6a264f3443833d6b39f70 /src | |
parent | 947d96faabc7267177da32fbfc9f8c3a81b576af (diff) |
Fix stack smash in clickpad_guess_clickfingers()
Apple Magic Trackpad can report 16 slots. In clickpad_guess_clickfingers()
the array allocated on the stack contains only 10 slots.
As (.num_mt_mask == .num_slots), the function writes out of the bounds
of close_point.
Use a size 32 bitmask instead and warn if we ever get past 32 touchpoints.
This fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=952221
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Conflicts:
src/synaptics.c
Diffstat (limited to 'src')
-rw-r--r-- | src/synaptics.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/synaptics.c b/src/synaptics.c index 56dc55b..e00604b 100644 --- a/src/synaptics.c +++ b/src/synaptics.c @@ -2785,10 +2785,11 @@ clickpad_guess_clickfingers(SynapticsPrivate * priv, int nfingers = 0; #if HAVE_MULTITOUCH - char close_point[SYNAPTICS_MAX_TOUCHES] = { 0 }; /* 1 for each point close - to another one */ + uint32_t close_point = 0; /* 1 bit for each point close to another one */ int i, j; + BUG_RETURN_VAL(hw->num_mt_mask > sizeof(close_point) * 8, 0); + for (i = 0; i < hw->num_mt_mask - 1; i++) { ValuatorMask *f1; @@ -2820,14 +2821,16 @@ clickpad_guess_clickfingers(SynapticsPrivate * priv, * size. Good luck. */ if (abs(x1 - x2) < (priv->maxx - priv->minx) * .3 && abs(y1 - y2) < (priv->maxy - priv->miny) * .3) { - close_point[j] = 1; - close_point[i] = 1; + close_point |= (1 << j); + close_point |= (1 << i); } } } - for (i = 0; i < SYNAPTICS_MAX_TOUCHES; i++) - nfingers += close_point[i]; + while (close_point > 0) { + nfingers += close_point & 0x1; + close_point >>= 1; + } #endif return nfingers; |