On 03/13/2012 09:04 PM, Daniel Kurtz wrote:Don't allow writing past the length of an object.
Signed-off-by: Daniel Kurtz<djkurtz@xxxxxxxxxxxx>
---
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
index 0d4d492..e18c698 100644
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -506,7 +506,7 @@ static int mxt_write_object(struct mxt_data *data,
u16 reg;
object = mxt_get_object(data, type);
- if (!object)
+ if (!object || offset>= object->size)
The object->size is actual object size - 1.
+ if (!object || offset> object->size)
return -EINVAL;
reg = object->start_address;