| Message ID | 20220118223841.45870-1-jason.gerecke@wacom.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 |
| Delegated to: | Jiri Kosina |
| Headers | show |
| Series | HID: wacom: Avoid using stale array indicies to read contact count | expand |
On Tue, 18 Jan 2022, Jason Gerecke wrote: > If we ever see a touch report with contact count data we initialize > several variables used to read the contact count in the pre-report > phase. These variables are never reset if we process a report which > doesn't contain a contact count, however. This can cause the pre- > report function to trigger a read of arbitrary memory (e.g. NULL > if we're lucky) and potentially crash the driver. > > This commit restores resetting of the variables back to default > "none" values that were used prior to the commit mentioned > below. > > Link: https://github.com/linuxwacom/input-wacom/issues/276 > Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase) > CC: stable@vger.kernel.org > Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com> > Reviewed-by: Ping Cheng <ping.cheng@wacom.com> Applied, thank you.
diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 92b52b1de526..a7176fc0635d 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2682,6 +2682,10 @@ static void wacom_wac_finger_pre_report(struct hid_device *hdev, hid_data->confidence = true; + hid_data->cc_report = 0; + hid_data->cc_index = -1; + hid_data->cc_value_index = -1; + for (i = 0; i < report->maxfield; i++) { struct hid_field *field = report->field[i]; int j;