From 2e06aed955f55f704b14c265391dc2ce418b8e9f Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Thu, 27 Feb 2014 11:36:04 +1000 Subject: [PATCH] Don't sync past MAX_SLOTS slots MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a device has more than MAX_SLOTS slots, we'd run out-of-bounds on the sync array. This function is sig-safe, so we can't alloc here, merely limit the access. Reported-by: Jonas Ã…dahl Signed-off-by: Peter Hutterer Reviewed-by: Benjamin Tissoires --- libevdev/libevdev.c | 2 +- libevdev/libevdev.h | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libevdev/libevdev.c b/libevdev/libevdev.c index 6127e64..36359d4 100644 --- a/libevdev/libevdev.c +++ b/libevdev/libevdev.c @@ -561,7 +561,7 @@ sync_mt_state(struct libevdev *dev, int create_events) ioctl_success = 1; } - for (i = 0; i < dev->num_slots; i++) { + for (i = 0; i < min(dev->num_slots, MAX_SLOTS); i++) { int j; struct input_event *ev; diff --git a/libevdev/libevdev.h b/libevdev/libevdev.h index d019114..b13e746 100644 --- a/libevdev/libevdev.h +++ b/libevdev/libevdev.h @@ -693,6 +693,10 @@ enum libevdev_read_status { * device state delta. This function returns @ref LIBEVDEV_READ_STATUS_SYNC for * each event part of that delta, until it returns -EAGAIN once all events * have been synced. + * @note The implementation of libevdev limits the maximum number of slots + * that can be synched. If your device exceeds the number of slots + * (currently 32), slot indices equal and above this maximum are ignored and + * their value will not update until the next event in that slot. * * If a device needs to be synced by the caller but the caller does not call * with the @ref LIBEVDEV_READ_FLAG_SYNC flag set, all events from the diff are