Input: gf2k - skip invalid hat lookup values

gf2k_read() decodes the hat position from a 4-bit field and uses it
directly to index gf2k_hat_to_axis[]. The lookup table only has nine
entries, so malformed packets can read past the end of the fixed table.

Skip hat reporting when the decoded value falls outside the lookup
table instead of forcing it to the neutral position. This keeps the
fix local and avoids reporting a made-up axis state for malformed
packets.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260407120001.1-gf2k-v2-pengpeng@iscas.ac.cn
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/joystick/gf2k.c b/drivers/input/joystick/gf2k.c
index 5a1cdce0bc480bacf7175e3e7ad8c1ebfc4e3377..1d843115d67417e9fedcf6876ebb84266d3cfda8 100644 (file)
--- a/drivers/input/joystick/gf2k.c
+++ b/drivers/input/joystick/gf2k.c
@@ -165,8 +165,10 @@ static void gf2k_read(struct gf2k *gf2k, unsigned char *data)
 
        t = GB(40,4,0);
 
-       for (i = 0; i < gf2k_hats[gf2k->id]; i++)
-               input_report_abs(dev, ABS_HAT0X + i, gf2k_hat_to_axis[t][i]);
+       if (t < ARRAY_SIZE(gf2k_hat_to_axis))
+               for (i = 0; i < gf2k_hats[gf2k->id]; i++)
+                       input_report_abs(dev, ABS_HAT0X + i,
+                                        gf2k_hat_to_axis[t][i]);
 
        t = GB(44,2,0) | GB(32,8,2) | GB(78,2,10);