tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Input: aiptek - validate raw macro indices before updating state

aiptek_irq() derives macro key indices directly from tablet reports and
then uses them to index macroKeyEvents[]. Report types 4 and 5 also save
the derived value in aiptek->lastMacro and later use that state to
release the previous key.

Validate the raw macro index once before it enters that state machine, so
lastMacro only ever stores an in-range macro key. Keep direct bounds
checks for report type 6, which reads the macro number from the packet
body and uses it immediately.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260329001711.88076-1-pengpeng@iscas.ac.cn
[dtor: fix macro fallback in report 5s to use -1]
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

authored by

Pengpeng Hou and committed by
Dmitry Torokhov 95dffe32 bc561dc8

+9 -4
+9 -4
drivers/input/tablet/aiptek.c
··· 657 657 pck = (data[1] & aiptek->curSetting.stylusButtonUpper) != 0 ? 1 : 0; 658 658 659 659 macro = dv && p && tip && !(data[3] & 1) ? (data[3] >> 1) : -1; 660 + if (macro >= ARRAY_SIZE(macroKeyEvents)) 661 + macro = -1; 660 662 z = get_unaligned_le16(data + 4); 661 663 662 664 if (dv) { ··· 700 698 left = (data[1]& aiptek->curSetting.mouseButtonLeft) != 0 ? 1 : 0; 701 699 right = (data[1] & aiptek->curSetting.mouseButtonRight) != 0 ? 1 : 0; 702 700 middle = (data[1] & aiptek->curSetting.mouseButtonMiddle) != 0 ? 1 : 0; 703 - macro = dv && p && left && !(data[3] & 1) ? (data[3] >> 1) : 0; 701 + macro = dv && p && left && !(data[3] & 1) ? (data[3] >> 1) : -1; 702 + if (macro >= ARRAY_SIZE(macroKeyEvents)) 703 + macro = -1; 704 704 705 705 if (dv) { 706 706 /* If the selected tool changed, reset the old ··· 740 736 */ 741 737 else if (data[0] == 6) { 742 738 macro = get_unaligned_le16(data + 1); 743 - if (macro > 0) { 739 + if (macro > 0 && macro - 1 < ARRAY_SIZE(macroKeyEvents)) { 744 740 input_report_key(inputdev, macroKeyEvents[macro - 1], 745 741 0); 746 742 } 747 - if (macro < 25) { 743 + if (macro + 1 < ARRAY_SIZE(macroKeyEvents)) { 748 744 input_report_key(inputdev, macroKeyEvents[macro + 1], 749 745 0); 750 746 } ··· 763 759 aiptek->curSetting.toolMode; 764 760 } 765 761 766 - input_report_key(inputdev, macroKeyEvents[macro], 1); 762 + if (macro < ARRAY_SIZE(macroKeyEvents)) 763 + input_report_key(inputdev, macroKeyEvents[macro], 1); 767 764 input_report_abs(inputdev, ABS_MISC, 768 765 1 | AIPTEK_REPORT_TOOL_UNKNOWN); 769 766 input_sync(inputdev);