From: Jason Gerecke Date: Tue, 18 Jan 2022 22:38:41 +0000 (-0800) Subject: HID: wacom: Avoid using stale array indicies to read contact count X-Git-Tag: v6.1-rc5~1727^2~26 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=20f3cf5f860f9f267a6a6e5642d3d0525edb1814;p=platform%2Fkernel%2Flinux-starfive.git HID: wacom: Avoid using stale array indicies to read contact count If we ever see a touch report with contact count data we initialize several variables used to read the contact count in the pre-report phase. These variables are never reset if we process a report which doesn't contain a contact count, however. This can cause the pre- report function to trigger a read of arbitrary memory (e.g. NULL if we're lucky) and potentially crash the driver. This commit restores resetting of the variables back to default "none" values that were used prior to the commit mentioned below. Link: https://github.com/linuxwacom/input-wacom/issues/276 Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase) CC: stable@vger.kernel.org Signed-off-by: Jason Gerecke Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina --- diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 92b52b1..a7176fc 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2682,6 +2682,10 @@ static void wacom_wac_finger_pre_report(struct hid_device *hdev, hid_data->confidence = true; + hid_data->cc_report = 0; + hid_data->cc_index = -1; + hid_data->cc_value_index = -1; + for (i = 0; i < report->maxfield; i++) { struct hid_field *field = report->field[i]; int j;