If a malformed HID report is sent from the device, a prefix with
TYPE_MAIN may read globtype before it is written with TYPE_GLOBAL.
The oldval array is protected from uninitialized read by the
indent counter.
Reported-by: syzbot+6a1bb5a33a0b128085bc@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Paul Hollinsky <phollinsky@xxxxxxxxxxxxxx>
---
drivers/input/tablet/gtco.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
index 44bb1f69b4b2..db030cd043d5 100644
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -217,7 +217,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
__u32 usage = 0;
/* Global Values, indexed by TAG */
- __u32 globalval[TAG_GLOB_MAX];
+ __u32 globalval[TAG_GLOB_MAX] = { 0 };
__u32 oldval[TAG_GLOB_MAX];
/* Debug stuff */
--
2.25.1
