[PATCH 1/1] integer overflow issue in 'appletouch' driver
From: Vadim Zaliva
Date: Fri Mar 05 2010 - 15:11:04 EST
This small patch is fixing an integer overflow issue in 'appletouch' driver.
In particular, reading data from Geyser 2 touchpads used on post Oct
2005 Apple PowerBooks the driver was casting X and Y coordinates
values to 'signed char'. Testing on one of such PowerBooks I have
noticed that touchpad always generates positive values, but some of
them are greater that 127, and thus, when cast to 'signed char' being
interpreted as a negative.
Such bigger values have been observed infrequently, closer to the
edges of a touchpad, so the problem was not very visible.
Nevertheless, the patch would potentially improve touchpad
driver accuracy.
diff -uNr linux-source-2.6.31.orig/drivers/input/mouse/appletouch.c linux-source-2.6.31/drivers/input/mouse/appletouch.c
--- linux-source-2.6.31.orig/drivers/input/mouse/appletouch.c 2009-09-09 15:13:59.000000000 -0700
+++ linux-source-2.6.31/drivers/input/mouse/appletouch.c 2010-03-05 11:05:11.921394055 -0800
@@ -205,8 +205,8 @@
bool overflow_warned;
int x_old; /* last reported x/y, */
int y_old; /* used for smoothing */
- signed char xy_cur[ATP_XSENSORS + ATP_YSENSORS];
- signed char xy_old[ATP_XSENSORS + ATP_YSENSORS];
+ u8 xy_cur[ATP_XSENSORS + ATP_YSENSORS];
+ u8 xy_old[ATP_XSENSORS + ATP_YSENSORS];
int xy_acc[ATP_XSENSORS + ATP_YSENSORS];
int idlecount; /* number of empty packets */
struct work_struct work;
@@ -531,7 +531,7 @@
for (i = 0; i < ATP_XSENSORS + ATP_YSENSORS; i++) {
/* accumulate the change */
- signed char change = dev->xy_old[i] - dev->xy_cur[i];
+ int change = dev->xy_old[i] - dev->xy_cur[i];
dev->xy_acc[i] -= change;
/* prevent down drifting */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/