I've managed to provoke a segfault in DirectFB by unplugging a USB
input device.
linux_input_EventThread divides the result of reading from the input
device by sizeof(levt) prior to checking for error. Because the type
of sizeof may be unsigned the int result of read is promoted
to unsigned prior to the division. This means that a read error will
cause readlen to contain a number larger than the size of the array
causing the following loop to exceed its bounds.
This patch defers the division until the value is known to be positive.
Mike.
diff --git a/inputdrivers/linux_input/linux_input.c
b/inputdrivers/linux_input/linux_input.c
index a4fd232..05211b5 100644
--- a/inputdrivers/linux_input/linux_input.c
+++ b/inputdrivers/linux_input/linux_input.c
@@ -830,7 +830,7 @@ linux_input_EventThread( DirectThread *thread, void
*driver_data )
continue;
}
- readlen = read( data->fd, levt, sizeof(levt) ) / sizeof(levt[0]);
+ readlen = read( data->fd, levt, sizeof(levt) );
if (readlen < 0 && errno != EINTR)
break;
@@ -840,7 +840,7 @@ linux_input_EventThread( DirectThread *thread, void
*driver_data )
if (readlen <= 0)
continue;
- for (i=0; i<readlen; i++) {
+ for (i=0; i<readlen / sizeof(levt[0]); i++) {
DFBInputEvent devt;
if (data->touchpad) {
_______________________________________________
directfb-dev mailing list
[email protected]
http://mail.directfb.org/cgi-bin/mailman/listinfo/directfb-dev
