[xorg-x11-drv-synaptics/f17] Fix stack smash on apple touchpads (#877464), this time with a patch
Peter Hutterer
whot at fedoraproject.org
Fri Apr 26 00:25:34 UTC 2013
commit 8285aa59c58fce38dfcc9b009ae5a6786669929e
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Fri Apr 26 10:24:39 2013 +1000
Fix stack smash on apple touchpads (#877464), this time with a patch
...tack-smash-in-clickpad_guess_clickfingers.patch | 66 ++++++++++++++++++++
xorg-x11-drv-synaptics.spec | 5 +-
2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/0001-Fix-stack-smash-in-clickpad_guess_clickfingers.patch b/0001-Fix-stack-smash-in-clickpad_guess_clickfingers.patch
new file mode 100644
index 0000000..e57a5f8
--- /dev/null
+++ b/0001-Fix-stack-smash-in-clickpad_guess_clickfingers.patch
@@ -0,0 +1,66 @@
+From 8fcc413285d347ecb6a27e0761ef4ce6fd56ca0a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer at who-t.net>
+Date: Fri, 26 Apr 2013 10:09:10 +1000
+Subject: [PATCH synaptics] Fix stack smash in clickpad_guess_clickfingers()
+
+Apple Magic Trackpad can report 16 slots. In clickpad_guess_clickfingers()
+the array allocated on the stack contains only 10 slots.
+As (.num_mt_mask == .num_slots), the function writes out of the bounds
+of close_point.
+
+Use a size 32 bitmask instead and warn if we ever get past 32 touchpoints.
+
+This fixes:
+https://bugzilla.redhat.com/show_bug.cgi?id=952221
+
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+Reported-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
+
+Conflicts:
+ src/synaptics.c
+---
+ src/synaptics.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/synaptics.c b/src/synaptics.c
+index 56dc55b..e00604b 100644
+--- a/src/synaptics.c
++++ b/src/synaptics.c
+@@ -2785,10 +2785,11 @@ clickpad_guess_clickfingers(SynapticsPrivate * priv,
+ int nfingers = 0;
+
+ #if HAVE_MULTITOUCH
+- char close_point[SYNAPTICS_MAX_TOUCHES] = { 0 }; /* 1 for each point close
+- to another one */
++ uint32_t close_point = 0; /* 1 bit for each point close to another one */
+ int i, j;
+
++ BUG_RETURN_VAL(hw->num_mt_mask > sizeof(close_point) * 8, 0);
++
+ for (i = 0; i < hw->num_mt_mask - 1; i++) {
+ ValuatorMask *f1;
+
+@@ -2820,14 +2821,16 @@ clickpad_guess_clickfingers(SynapticsPrivate * priv,
+ * size. Good luck. */
+ if (abs(x1 - x2) < (priv->maxx - priv->minx) * .3 &&
+ abs(y1 - y2) < (priv->maxy - priv->miny) * .3) {
+- close_point[j] = 1;
+- close_point[i] = 1;
++ close_point |= (1 << j);
++ close_point |= (1 << i);
+ }
+ }
+ }
+
+- for (i = 0; i < SYNAPTICS_MAX_TOUCHES; i++)
+- nfingers += close_point[i];
++ while (close_point > 0) {
++ nfingers += close_point & 0x1;
++ close_point >>= 1;
++ }
+ #endif
+
+ return nfingers;
+--
+1.8.1.4
+
diff --git a/xorg-x11-drv-synaptics.spec b/xorg-x11-drv-synaptics.spec
index 501a55e..8e503d5 100644
--- a/xorg-x11-drv-synaptics.spec
+++ b/xorg-x11-drv-synaptics.spec
@@ -8,7 +8,7 @@
Name: xorg-x11-drv-synaptics
Summary: Xorg X11 Synaptics touchpad input driver
Version: 1.6.3
-Release: 2%{?gitdate:.%{gitdate}git%{gitversion}}%{dist}
+Release: 3%{?gitdate:.%{gitdate}git%{gitversion}}%{dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X Hardware Support
@@ -138,6 +138,9 @@ Development files for the Synaptics TouchPad for X.Org.
%changelog
+* Fri Apr 26 2013 Peter Hutterer <peter.hutterer at redhat.com> 1.6.3-3
+- Fix stack smash on apple touchpads (#877464), this time with a patch
+
* Fri Apr 26 2013 Peter Hutterer <peter.hutterer at redhat.com> 1.6.3-2
- Fix stack smash on apple touchpads (#877464)
More information about the scm-commits
mailing list