• Vince Kim's avatar
    Input: cyttsp4 - avoid overflows when calculating memory sizes · a2c714e8
    Vince Kim authored
    There are several places to perform subtraction to calculate buffer
    size such as:
    
    si->si_ofs.cydata_size = si->si_ofs.test_ofs - si->si_ofs.cydata_ofs;
    ...
    p = krealloc(si->si_ptrs.cydata, si->si_ofs.cydata_size, GFP_KERNEL);
    
    Actually, data types of above variables during subtraction are size_t, so
    it is unsigned. That means if second operand(si->si_ofs.cydata_ofs) is
    greater than the first operand(si->si_ofs.test_ofs), then resulting
    si->si_ofs.cydata_size could result in an unsigned integer wrap which is
    not desirable.
    
    The proper way to correct this problem is to perform a test of both
    operands to avoid having unsigned wrap.
    Signed-off-by: default avatarVince Kim <vince.k.kim@gmail.com>
    Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
    a2c714e8
cyttsp4_core.c 55.8 KB