Don't sync past MAX_SLOTS slots

If a device has more than MAX_SLOTS slots, we'd run out-of-bounds on the sync array. This function is sig-safe, so we can't alloc here, merely limit the access. Reported-by: Jonas Ådahl <jadahl@gmail.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
2025-12-22 05:30:06 +01:00 · 2014-02-27 11:36:04 +10:00 · 2014-02-27 11:36:04 +10:00 · 2e06aed955
commit 2e06aed955
parent 5b0b2ae114
2 changed files with 5 additions and 1 deletions
--- a/libevdev/libevdev.c
+++ b/libevdev/libevdev.c
@ -561,7 +561,7 @@ sync_mt_state(struct libevdev *dev, int create_events)
 			ioctl_success = 1;
 	}

-	for (i = 0; i < dev->num_slots; i++) {
+	for (i = 0; i < min(dev->num_slots, MAX_SLOTS); i++) {
 		int j;
 		struct input_event *ev;

--- a/libevdev/libevdev.h
+++ b/libevdev/libevdev.h
@ -693,6 +693,10 @@ enum libevdev_read_status {
 * device state delta. This function returns @ref LIBEVDEV_READ_STATUS_SYNC for
 * each event part of that delta, until it returns -EAGAIN once all events
 * have been synced.
+ * @note The implementation of libevdev limits the maximum number of slots
+ * that can be synched. If your device exceeds the number of slots
+ * (currently 32), slot indices equal and above this maximum are ignored and
+ * their value will not update until the next event in that slot.
 *
 * If a device needs to be synced by the caller but the caller does not call
 * with the @ref LIBEVDEV_READ_FLAG_SYNC flag set, all events from the diff are