averello/linux-stable-mirror
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2026-05-05 09:57:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Input: aiptek - validate raw macro indices before updating state

Browse Source 
aiptek_irq() derives macro key indices directly from tablet reports and
then uses them to index macroKeyEvents[]. Report types 4 and 5 also save
the derived value in aiptek->lastMacro and later use that state to
release the previous key.

Validate the raw macro index once before it enters that state machine, so
lastMacro only ever stores an in-range macro key. Keep direct bounds
checks for report type 6, which reads the macro number from the packet
body and uses it immediately.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260329001711.88076-1-pengpeng@iscas.ac.cn
[dtor: fix macro fallback in report 5s to use -1]
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
This commit is contained in:
Pengpeng Hou
2026-04-06 21:52:34 -07:00
committed by Dmitry Torokhov
parent bc561dc8ba
commit 95dffe32a6
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
drivers/input/tablet/aiptek.c
+9 -4
View File
@@ -657,6 +657,8 @@ static void aiptek_irq(struct urb *urb)
pck = (data[1] & aiptek->curSetting.stylusButtonUpper) != 0 ? 1 : 0;
macro = dv && p && tip && !(data[3] & 1) ? (data[3] >> 1) : -1;
if (macro >= ARRAY_SIZE(macroKeyEvents))
macro = -1;
z = get_unaligned_le16(data + 4);
if (dv) {
@@ -698,7 +700,9 @@ static void aiptek_irq(struct urb *urb)
left = (data[1]& aiptek->curSetting.mouseButtonLeft) != 0 ? 1 : 0;
right = (data[1] & aiptek->curSetting.mouseButtonRight) != 0 ? 1 : 0;
middle = (data[1] & aiptek->curSetting.mouseButtonMiddle) != 0 ? 1 : 0;
macro = dv && p && left && !(data[3] & 1) ? (data[3] >> 1) : 0;
macro = dv && p && left && !(data[3] & 1) ? (data[3] >> 1) : -1;
if (macro >= ARRAY_SIZE(macroKeyEvents))
macro = -1;
if (dv) {
/* If the selected tool changed, reset the old
@@ -736,11 +740,11 @@ static void aiptek_irq(struct urb *urb)
*/
else if (data[0] == 6) {
macro = get_unaligned_le16(data + 1);
if (macro > 0) {
if (macro > 0 && macro - 1 < ARRAY_SIZE(macroKeyEvents)) {
input_report_key(inputdev, macroKeyEvents[macro - 1],
0);
}
if (macro < 25) {
if (macro + 1 < ARRAY_SIZE(macroKeyEvents)) {
input_report_key(inputdev, macroKeyEvents[macro + 1],
0);
}
@@ -759,7 +763,8 @@ static void aiptek_irq(struct urb *urb)
aiptek->curSetting.toolMode;
}
input_report_key(inputdev, macroKeyEvents[macro], 1);
if (macro < ARRAY_SIZE(macroKeyEvents))
input_report_key(inputdev, macroKeyEvents[macro], 1);
input_report_abs(inputdev, ABS_MISC,
1 | AIPTEK_REPORT_TOOL_UNKNOWN);
input_sync(inputdev);