On Tue, Aug 14, 2007 at 03:35:06PM +0100, Mike Crowe wrote: > I've managed to provoke a segfault in DirectFB by unplugging a USB > input device. > > linux_input_EventThread divides the result of reading from the input > device by sizeof(levt) prior to checking for error. Because the type > of sizeof may be unsigned the int result of read is promoted > to unsigned prior to the division. This means that a read error will > cause readlen to contain a number larger than the size of the array > causing the following loop to exceed its bounds. > > This patch defers the division until the value is known to be positive.
Thanks. Applied. -- Ville Syrjälä [EMAIL PROTECTED] http://www.sci.fi/~syrjala/ _______________________________________________ directfb-dev mailing list [email protected] http://mail.directfb.org/cgi-bin/mailman/listinfo/directfb-dev
