Module Name: src
Committed By: christos
Date: Thu Apr 16 19:53:19 UTC 2015
Modified Files:
src/sys/dev/bluetooth: btmagic.c
Log Message:
CID 1293640/1 memory corruption/overrun
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/sys/dev/bluetooth/btmagic.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/bluetooth/btmagic.c
diff -u src/sys/dev/bluetooth/btmagic.c:1.12 src/sys/dev/bluetooth/btmagic.c:1.13
--- src/sys/dev/bluetooth/btmagic.c:1.12 Mon Apr 6 13:45:31 2015
+++ src/sys/dev/bluetooth/btmagic.c Thu Apr 16 15:53:19 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: btmagic.c,v 1.12 2015/04/06 17:45:31 bouyer Exp $ */
+/* $NetBSD: btmagic.c,v 1.13 2015/04/16 19:53:19 christos Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -85,7 +85,7 @@
*****************************************************************************/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: btmagic.c,v 1.12 2015/04/06 17:45:31 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: btmagic.c,v 1.13 2015/04/16 19:53:19 christos Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -1523,6 +1523,8 @@ btmagic_input_magict(struct btmagic_soft
*/
continue;
}
+ if (id >= __arraycount(sc->sc_ax))
+ continue;
tx = ax - sc->sc_ax[id];
ty = ay - sc->sc_ay[id];
@@ -1562,6 +1564,9 @@ btmagic_input_magict(struct btmagic_soft
break;
}
+ if (id >= __arraycount(sc->sc_ax))
+ continue;
+
sc->sc_ax[id] = ax;
sc->sc_ay[id] = ay;
}
