Skip to content

Commit

Permalink
HID: wacom: Avoid using stale array indicies to read contact count
Browse files Browse the repository at this point in the history
commit 20f3cf5 upstream.

If we ever see a touch report with contact count data we initialize
several variables used to read the contact count in the pre-report
phase. These variables are never reset if we process a report which
doesn't contain a contact count, however. This can cause the pre-
report function to trigger a read of arbitrary memory (e.g. NULL
if we're lucky) and potentially crash the driver.

This commit restores resetting of the variables back to default
"none" values that were used prior to the commit mentioned
below.

Link: linuxwacom/input-wacom#276
Fixes: 003f50a (HID: wacom: Update last_slot_field during pre_report phase)
CC: [email protected]
Signed-off-by: Jason Gerecke <[email protected]>
Reviewed-by: Ping Cheng <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
jigpu authored and Sasha Levin committed Jan 23, 2022
1 parent a24f0f0 commit def8bf3
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions drivers/hid/wacom_wac.c
Original file line number Diff line number Diff line change
Expand Up @@ -2682,6 +2682,10 @@ static void wacom_wac_finger_pre_report(struct hid_device *hdev,

hid_data->confidence = true;

hid_data->cc_report = 0;
hid_data->cc_index = -1;
hid_data->cc_value_index = -1;

for (i = 0; i < report->maxfield; i++) {
struct hid_field *field = report->field[i];
int j;
Expand Down

0 comments on commit def8bf3

Please sign in to comment.