From: Daniel Kurtz <djkurtz@chromium.org>
Date: Wed, 9 May 2012 05:38:52 +0000 (-0700)
Subject: Input: atmel_mxt_ts - verify object size in mxt_write_object
X-Git-Tag: firefly_0821_release~176^2~541^2~341^2~14
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=d1ff320f0a9766a53ae412d96f72bd861a889af6;p=firefly-linux-kernel-4.4.55.git

Input: atmel_mxt_ts - verify object size in mxt_write_object

Don't allow writing past the length of an object.

Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
---

diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
index 15ae6fd575b2..8f0dc7776e7d 100644
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -506,7 +506,7 @@ static int mxt_write_object(struct mxt_data *data,
 	u16 reg;
 
 	object = mxt_get_object(data, type);
-	if (!object)
+	if (!object || offset >= object->size + 1)
 		return -EINVAL;
 
 	reg = object->start_address;