From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Fri, 18 Mar 2011 12:56:32 +0000 (+0100)
Subject: input_id: Avoid memory overflow with too long capability masks
X-Git-Tag: 174~230
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=88149f668ea7ac23c61f6d1982db4f4517da763c

input_id: Avoid memory overflow with too long capability masks

Joey Lee <jlee@novell.com> reported a problem on an MSI laptop which reports a
too long capabilities/key:

E: EV==3
E: KEY==180000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

This is longer than KEY_MAX and thus caused a memory overflow. Guard against
this now and just ignore the excess blocks.
---

diff --git a/extras/input_id/input_id.c b/extras/input_id/input_id.c
index 20191599d..b2d4a6770 100644
--- a/extras/input_id/input_id.c
+++ b/extras/input_id/input_id.c
@@ -61,12 +61,18 @@ static void get_cap_mask (struct udev_device *dev, const char* attr,
 	i = 0;
 	while ((word = strrchr(text, ' ')) != NULL) {
 		val = strtoul (word+1, NULL, 16);
-		bitmask[i] = val;
+		if (i < bitmask_size/sizeof(unsigned long))
+			bitmask[i] = val;
+		else
+			DBG("Ignoring %s block %lX which is larger than maximum size\n", attr, val);
 		*word = '\0';
 		++i;
 	}
 	val = strtoul (text, NULL, 16);
-	bitmask[i] = val;
+	if (i < bitmask_size/sizeof(unsigned long))
+		bitmask[i] = val;
+	else
+		DBG("Ignoring %s block %lX which is larger than maximum size\n", attr, val);
 
 	if (debug) {
 		/* printf pattern with the right unsigned long number of hex chars */