git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	T.J. Mercier <tjmercier@google.com>
	Fri, 17 Apr 2026 15:47:02 +0000 (08:47 -0700)
committer	Jiri Kosina <jkosina@suse.com>
	Tue, 12 May 2026 15:54:48 +0000 (17:54 +0200)
commit	cac61b58a3b6340c52afa06bb15eac033158db2f
tree	2bec557459155ac42b475b50d09740e2337e1e01	tree \| snapshot
parent	d93ba918a185aca2594da63e92fdc5495b559c0f	commit \| diff

HID: playstation: Clamp num_touch_reports

A device would never lie about the number of touch reports would it?

If it does the loop in dualshock4_parse_report will read off the end of
the touch_reports array, up to about 2 KiB for the maximum number of 256
loop iteraions. The data that is read is emitted via evdev if the
DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by
clamping the num_touch_reports value provided by the device to the
maximum size of the touch_reports array.

Fixes: 752038248808 ("HID: playstation: add DualShock4 touchpad support.")
Cc: stable@vger.kernel.org
Reported-by: Xingyu Jin <xingyuj@google.com>
Signed-off-by: T.J. Mercier <tjmercier@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>