From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joonyoung Shim Subject: Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object Date: Wed, 14 Mar 2012 11:37:39 +0900 Message-ID: <4F600473.1010607@samsung.com> References: <1331640263-18935-1-git-send-email-djkurtz@chromium.org> <1331640263-18935-4-git-send-email-djkurtz@chromium.org> <4F5FF563.7080308@samsung.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mailout1.samsung.com ([203.254.224.24]:52252 "EHLO mailout1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030236Ab2CNChR (ORCPT ); Tue, 13 Mar 2012 22:37:17 -0400 In-reply-to: <4F5FF563.7080308@samsung.com> Sender: linux-input-owner@vger.kernel.org List-Id: linux-input@vger.kernel.org To: Daniel Kurtz Cc: Dmitry Torokhov , Iiro Valkonen , Henrik Rydberg , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Benson Leung , Yufeng Shen On 03/14/2012 10:33 AM, Joonyoung Shim wrote: > On 03/13/2012 09:04 PM, Daniel Kurtz wrote: >> Don't allow writing past the length of an object. >> >> Signed-off-by: Daniel Kurtz >> --- >> drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- >> 1 files changed, 1 insertions(+), 1 deletions(-) >> >> diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c >> b/drivers/input/touchscreen/atmel_mxt_ts.c >> index 0d4d492..e18c698 100644 >> --- a/drivers/input/touchscreen/atmel_mxt_ts.c >> +++ b/drivers/input/touchscreen/atmel_mxt_ts.c >> @@ -506,7 +506,7 @@ static int mxt_write_object(struct mxt_data *data, >> u16 reg; >> >> object = mxt_get_object(data, type); >> - if (!object) >> + if (!object || offset>= object->size) > > The object->size is actual object size - 1. > > + if (!object || offset> object->size) > OK. another patch covers this. > >> return -EINVAL; >> >> reg = object->start_address; >