[xorg-x11-drv-synaptics/f19] Fix stack smash on magic trackpad (#952221)
Peter Hutterer
whot at fedoraproject.org
Fri Apr 26 01:34:52 UTC 2013
commit 26829028b7d5a1f90115246a31e700af10563e1f
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Fri Apr 26 11:30:31 2013 +1000
Fix stack smash on magic trackpad (#952221)
...tack-smash-in-clickpad_guess_clickfingers.patch | 63 ++++++++++++++++++++
xorg-x11-drv-synaptics.spec | 8 ++-
2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/0001-Fix-stack-smash-in-clickpad_guess_clickfingers.patch b/0001-Fix-stack-smash-in-clickpad_guess_clickfingers.patch
new file mode 100644
index 0000000..e6ddff4
--- /dev/null
+++ b/0001-Fix-stack-smash-in-clickpad_guess_clickfingers.patch
@@ -0,0 +1,63 @@
+From 7cc0ebf0858ebb505d933839f25bb269a8cdb764 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer at who-t.net>
+Date: Fri, 26 Apr 2013 10:09:10 +1000
+Subject: [PATCH synaptics] Fix stack smash in clickpad_guess_clickfingers()
+
+Apple Magic Trackpad can report 16 slots. In clickpad_guess_clickfingers()
+the array allocated on the stack contains only 10 slots.
+As (.num_mt_mask == .num_slots), the function writes out of the bounds
+of close_point.
+
+Use a size 32 bitmask instead and warn if we ever get past 32 touchpoints.
+
+This fixes:
+https://bugzilla.redhat.com/show_bug.cgi?id=952221
+
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+Reported-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
+---
+ src/synaptics.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/synaptics.c b/src/synaptics.c
+index f0a8269..2de05d4 100644
+--- a/src/synaptics.c
++++ b/src/synaptics.c
+@@ -2453,10 +2453,11 @@ clickpad_guess_clickfingers(SynapticsPrivate * priv,
+ struct SynapticsHwState *hw)
+ {
+ int nfingers = 0;
+- char close_point[SYNAPTICS_MAX_TOUCHES] = { 0 }; /* 1 for each point close
+- to another one */
++ uint32_t close_point = 0; /* 1 bit for each point close to another one */
+ int i, j;
+
++ BUG_RETURN_VAL(hw->num_mt_mask > sizeof(close_point) * 8, 0);
++
+ for (i = 0; i < hw->num_mt_mask - 1; i++) {
+ ValuatorMask *f1;
+
+@@ -2488,14 +2489,16 @@ clickpad_guess_clickfingers(SynapticsPrivate * priv,
+ * size. Good luck. */
+ if (abs(x1 - x2) < (priv->maxx - priv->minx) * .3 &&
+ abs(y1 - y2) < (priv->maxy - priv->miny) * .3) {
+- close_point[j] = 1;
+- close_point[i] = 1;
++ close_point |= (1 << j);
++ close_point |= (1 << i);
+ }
+ }
+ }
+
+- for (i = 0; i < SYNAPTICS_MAX_TOUCHES; i++)
+- nfingers += close_point[i];
++ while (close_point > 0) {
++ nfingers += close_point & 0x1;
++ close_point >>= 1;
++ }
+
+ return nfingers;
+ }
+--
+1.8.1.4
+
diff --git a/xorg-x11-drv-synaptics.spec b/xorg-x11-drv-synaptics.spec
index 0e03b54..b5f4e64 100644
--- a/xorg-x11-drv-synaptics.spec
+++ b/xorg-x11-drv-synaptics.spec
@@ -8,7 +8,7 @@
Name: xorg-x11-drv-synaptics
Summary: Xorg X11 Synaptics touchpad input driver
Version: 1.7.0
-Release: 1%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
+Release: 2%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X Hardware Support
@@ -23,6 +23,8 @@ Source0: ftp://ftp.x.org/pub/individual/driver/%{tarball}-%{version}.tar.
Source3: 50-synaptics.conf
Source4: 70-touchpad-quirks.rules
+Patch01: 0001-Fix-stack-smash-in-clickpad_guess_clickfingers.patch
+
ExcludeArch: s390 s390x
BuildRequires: libtool pkgconfig
@@ -80,6 +82,7 @@ Features:
%prep
%setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}}
+%patch01 -p1
%build
autoreconf -v --install --force || exit 1
@@ -135,6 +138,9 @@ Development files for the Synaptics TouchPad for X.Org.
%changelog
+* Fri Apr 26 2013 Peter Hutterer <peter.hutterer at redhat.com> 1.7.0-2
+- Fix stack smash on magic trackpad (#952221)
+
* Tue Apr 02 2013 Peter Hutterer <peter.hutterer at redhat.com> 1.7.0-1
- synaptics 1.7.0
More information about the scm-commits
mailing list