On Wed, Mar 14, 2012 at 9:33 AM, Joonyoung Shim <jy0922.shim@xxxxxxxxxxx> wrote: > > On 03/13/2012 09:04 PM, Daniel Kurtz wrote: >> >> Don't allow writing past the length of an object. >> >> Signed-off-by: Daniel Kurtz<djkurtz@xxxxxxxxxxxx> >> --- >> drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- >> 1 files changed, 1 insertions(+), 1 deletions(-) >> >> diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c >> b/drivers/input/touchscreen/atmel_mxt_ts.c >> index 0d4d492..e18c698 100644 >> --- a/drivers/input/touchscreen/atmel_mxt_ts.c >> +++ b/drivers/input/touchscreen/atmel_mxt_ts.c >> @@ -506,7 +506,7 @@ static int mxt_write_object(struct mxt_data *data, >> u16 reg; >> >> object = mxt_get_object(data, type); >> - if (!object) >> + if (!object || offset>= object->size) > > > The object->size is actual object size - 1. > > + if (!object || offset> object->size) > Whoops. Good catch. Will move this patch after patch 08, which fixes the object size. > > >> return -EINVAL; >> >> reg = object->start_address; > > -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
