https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274014
Mark Johnston <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected], | |[email protected] --- Comment #1 from Mark Johnston <[email protected]> --- Here we're crashing while parsing a HID report descriptor, it looks like the descriptor is invalid somehow but the driver isn't doing enough validation: 753 if (hi.collevel == 1 && 754 hi.usage >= HID_USAGE2(HUP_BUTTON, left_btn) && 755 hi.usage <= HID_USAGE2(HUP_BUTTON, HMT_BTN_MAX)) { 756 btn = (hi.usage & 0xFFFF) - left_btn; 757 setbit(sc->buttons, btn); 758 sc->btn_loc[btn] = hi.loc; 759 if (btn >= sc->max_button) 760 sc->max_button = btn + 1; 761 break; 762 } In particular, we don't check that "btn" is in the range [0, 7]. I'm not sure if this means that the descriptor is invalid or whether we're missing some special case? -- You are receiving this mail because: You are the assignee for the bug.
