From: Joonyoung Shim <jy0922.shim@samsung.com>
To: Daniel Kurtz <djkurtz@chromium.org>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Iiro Valkonen <iiro.valkonen@atmel.com>,
Henrik Rydberg <rydberg@euromail.se>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
Benson Leung <bleung@chromium.org>,
Yufeng Shen <miletus@chromium.org>
Subject: Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object
Date: Wed, 14 Mar 2012 10:33:23 +0900 [thread overview]
Message-ID: <4F5FF563.7080308@samsung.com> (raw)
In-Reply-To: <1331640263-18935-4-git-send-email-djkurtz@chromium.org>
On 03/13/2012 09:04 PM, Daniel Kurtz wrote:
> Don't allow writing past the length of an object.
>
> Signed-off-by: Daniel Kurtz<djkurtz@chromium.org>
> ---
> drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
> index 0d4d492..e18c698 100644
> --- a/drivers/input/touchscreen/atmel_mxt_ts.c
> +++ b/drivers/input/touchscreen/atmel_mxt_ts.c
> @@ -506,7 +506,7 @@ static int mxt_write_object(struct mxt_data *data,
> u16 reg;
>
> object = mxt_get_object(data, type);
> - if (!object)
> + if (!object || offset>= object->size)
The object->size is actual object size - 1.
+ if (!object || offset> object->size)
> return -EINVAL;
>
> reg = object->start_address;
next prev parent reply other threads:[~2012-03-14 1:33 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-13 12:04 [PATCH 00/20] cleanup atmel_mxt_ts Daniel Kurtz
2012-03-13 12:04 ` [PATCH 01/20] Input: atmel_mxt_ts - use CONFIG_PM_SLEEP Daniel Kurtz
2012-03-13 12:04 ` [PATCH 02/20] Input: atmel_mxt_ts - only allow root to update firmware Daniel Kurtz
2012-03-20 14:38 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object Daniel Kurtz
2012-03-14 1:33 ` Joonyoung Shim [this message]
2012-03-14 2:13 ` Daniel Kurtz
2012-03-14 2:13 ` Daniel Kurtz
2012-03-14 2:37 ` Joonyoung Shim
2012-03-13 12:04 ` [PATCH 04/20] Input: atmel_mxt_ts - refactor mxt_read/write_reg to take a length Daniel Kurtz
2012-03-13 12:04 ` [PATCH 05/20] Input: atmel_mxt_ts - dump mxt_read/write_reg Daniel Kurtz
2012-03-20 14:43 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 06/20] Input: atmel_mxt_ts - allow writing to object sysfs entry Daniel Kurtz
2012-03-19 8:04 ` Henrik Rydberg
2012-03-19 8:26 ` Daniel Kurtz
2012-03-20 14:51 ` Nick Dyer
2012-03-20 23:03 ` Alan Cox
2012-03-20 23:32 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 07/20] Input: atmel_mxt_ts - add backupnv " Daniel Kurtz
2012-03-20 15:01 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 08/20] Input: atmel_mxt_ts - store actual size and instance Daniel Kurtz
2012-03-20 15:05 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 09/20] Input: atmel_mxt_ts - do not read extra (checksum) byte Daniel Kurtz
2012-03-20 15:07 ` Nick Dyer
2012-03-22 10:18 ` Bowens, Alan
2012-03-22 10:18 ` Bowens, Alan
2012-03-13 12:04 ` [PATCH 10/20] Input: atmel_mxt_ts - dump each message on just 1 line Daniel Kurtz
2012-03-20 15:08 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 11/20] Input: atmel_mxt_ts - refactor mxt_object_show Daniel Kurtz
2012-03-20 15:11 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 12/20] Input: atmel_mxt_ts - simplify event reporting Daniel Kurtz
2012-03-19 8:26 ` Henrik Rydberg
2012-03-19 9:06 ` Daniel Kurtz
2012-03-19 9:06 ` Daniel Kurtz
2012-03-20 15:13 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 13/20] Input: atmel_mxt_ts - parse vector field of data packets Daniel Kurtz
2012-03-20 15:23 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 14/20] Input: atmel_mxt_ts - refactor reading object table Daniel Kurtz
2012-03-20 15:19 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 15/20] Input: atmel_mxt_ts - optimize writing of object table entries Daniel Kurtz
2012-03-13 12:04 ` [PATCH 16/20] Input: atmel_mxt_ts - refactor get info Daniel Kurtz
2012-03-20 15:21 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 17/20] Input: atmel_mxt_ts - use cached T9 reportid range in isr Daniel Kurtz
2012-03-20 15:30 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 18/20] Input: atmel_mxt_ts - read num messages, then all messages Daniel Kurtz
2012-03-14 2:32 ` Joonyoung Shim
2012-03-14 3:13 ` Daniel Kurtz
2012-03-14 3:13 ` Daniel Kurtz
2012-03-20 15:28 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 19/20] Input: atmel_mxt_ts - remove mxt_make_highchg and parse T6 report Daniel Kurtz
2012-03-20 15:38 ` Nick Dyer
2012-03-29 15:20 ` Daniel Kurtz
2012-03-29 15:20 ` Daniel Kurtz
2012-03-30 7:00 ` Nick Dyer
2012-03-13 12:04 ` [PATCH 20/20] Input: atmel_mxt_ts - send all MT-B slots in one input report Daniel Kurtz
2012-03-20 15:39 ` Nick Dyer
2012-03-14 2:43 ` [PATCH 00/20] cleanup atmel_mxt_ts Joonyoung Shim
2012-03-14 17:00 ` Valkonen, Iiro
2012-03-14 17:00 ` Valkonen, Iiro
2012-03-20 14:33 ` Nick Dyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F5FF563.7080308@samsung.com \
--to=jy0922.shim@samsung.com \
--cc=bleung@chromium.org \
--cc=djkurtz@chromium.org \
--cc=dmitry.torokhov@gmail.com \
--cc=iiro.valkonen@atmel.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miletus@chromium.org \
--cc=rydberg@euromail.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.