From 77d766b1d535dff9a27c7db343ede85d9f44850b Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 11 May 2012 12:27:39 +1000
Subject: Avoid out-of-bounds access by running num_active_touches < 0 (#49439)

If a touch is active during driver init, the slot will be set to
SLOTSTATE_CLOSE when it finishes. That could decrease num_active_touches to
less than 0, causing out-of-bounds access.

X.Org Bug 49439 <http://bugs.freedesktop.org/show_bug.cgi?id=49439>

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
---
 src/synaptics.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/synaptics.c b/src/synaptics.c
index e792977..ff47857 100644
--- a/src/synaptics.c
+++ b/src/synaptics.c
@@ -2624,7 +2624,9 @@ UpdateTouchState(InputInfoPtr pInfo, struct SynapticsHwState *hw)
                     priv->open_slots[j] = priv->open_slots[j + 1];
             }
 
-            priv->num_active_touches--;
+            BUG_WARN(priv->num_active_touches == 0);
+            if (priv->num_active_touches > 0)
+                priv->num_active_touches--;
         }
     }
 
-- 
cgit v1.2.3