On Thu, May 06, 2004 at 08:15:15PM +1000, herbert wrote:
>
> The current code is applying the maxusage limit to GUSAGE/SUSAGE. This
> is incorrect as the number of values is stored in field->report_count,
> not field->maxusage. The USB phone from www.virbiage.com is one device
> where report_count exceeds maxusage.
I've remove the changes unrelated to the boundary check. Please let me
know if you have any problems with this patch.
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
===== drivers/usb/input/hiddev.c 1.49 vs edited =====
--- 1.49/drivers/usb/input/hiddev.c 2004-05-29 07:08:23 +10:00
+++ edited/drivers/usb/input/hiddev.c 2004-06-04 20:02:29 +10:00
@@ -638,15 +638,18 @@
goto inval;
field = report->field[uref->field_index];
- if (uref->usage_index >= field->maxusage)
- goto inval;
-
- if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
- if (uref_multi->num_values >= HID_MAX_USAGES ||
- uref->usage_index >= field->maxusage ||
- (uref->usage_index + uref_multi->num_values) >=
field->maxusage)
+ if (cmd == HIDIOCGCOLLECTIONINDEX) {
+ if (uref->usage_index >= field->maxusage)
goto inval;
- }
+ } else if (uref->usage_index >= field->report_count)
+ goto inval;
+ else if ((cmd == HIDIOCGUSAGES ||
+ cmd == HIDIOCSUSAGES) &&
+ (uref->usage_index + uref_multi->num_values >=
+ field->report_count ||
+ uref->usage_index + uref_multi->num_values <
+ uref->usage_index))
+ goto inval;
}
switch (cmd) {
