[PATCH 27/47] Fix array overflows in keyboard.c when KEY_MAX > keycode > NR_KEYS > 128

From: Vojtech Pavlik
Date: Thu Jul 29 2004 - 10:11:58 EST


You can pull this changeset from:
bk://kernel.bkbits.net/vojtech/input

===================================================================

ChangeSet@xxxxxxxxxxxxx, 2004-06-23 08:06:20+02:00, vojtech@xxxxxxx
input: Fix array overflows in keyboard.c when KEY_MAX > keycode > NR_KEYS > 128.

Signed-off-by: Vojtech Pavlik <vojtech@xxxxxxx>


keyboard.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)

===================================================================

diff -Nru a/drivers/char/keyboard.c b/drivers/char/keyboard.c
--- a/drivers/char/keyboard.c Thu Jul 29 14:40:08 2004
+++ b/drivers/char/keyboard.c Thu Jul 29 14:40:08 2004
@@ -124,7 +124,7 @@
*/

static struct input_handler kbd_handler;
-static unsigned long key_down[256/BITS_PER_LONG]; /* keyboard key bitmap */
+static unsigned long key_down[NBITS(KEY_MAX)]; /* keyboard key bitmap */
static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */
static int dead_key_next;
static int npadch = -1; /* -1 or number assembled on pad */
@@ -143,7 +143,7 @@
/* Simple translation table for the SysRq keys */

#ifdef CONFIG_MAGIC_SYSRQ
-unsigned char kbd_sysrq_xlate[128] =
+unsigned char kbd_sysrq_xlate[KEY_MAX] =
"\000\0331234567890-=\177\t" /* 0x00 - 0x0f */
"qwertyuiop[]\r\000as" /* 0x10 - 0x1f */
"dfghjkl;'`\000\\zxcv" /* 0x20 - 0x2f */
@@ -1132,6 +1132,9 @@
kbd->slockstate = 0;
return;
}
+
+ if (keycode > NR_KEYS)
+ return;

keysym = key_map[keycode];
type = KTYP(keysym);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/