On 230213 1841, Mauro Matteo Cascella wrote:
> The guest can control the size of buf; an OOB write occurs when buf is 1 or 2
> bytes long. Only fill in the buffer as long as there is enough space, throw
> away any data which doesn't fit.
> 
> Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>

Tested-by: Alexander Bulekov <alx...@bu.edu>

Thanks

> ---
>  hw/usb/dev-wacom.c | 20 +++++++++++++-------
>  1 file changed, 13 insertions(+), 7 deletions(-)
> 
> diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
> index 7177c17f03..ca9e6aa82f 100644
> --- a/hw/usb/dev-wacom.c
> +++ b/hw/usb/dev-wacom.c
> @@ -252,14 +252,20 @@ static int usb_mouse_poll(USBWacomState *s, uint8_t 
> *buf, int len)
>      if (s->buttons_state & MOUSE_EVENT_MBUTTON)
>          b |= 0x04;
>  
> -    buf[0] = b;
> -    buf[1] = dx;
> -    buf[2] = dy;
> -    l = 3;
> -    if (len >= 4) {
> -        buf[3] = dz;
> -        l = 4;
> +    l = 0;
> +    if (len > l) {
> +        buf[l++] = b;
>      }
> +    if (len > l) {
> +        buf[l++] = dx;
> +    }
> +    if (len > l) {
> +        buf[l++] = dy;
> +    }
> +    if (len > l) {
> +        buf[l++] = dz;
> +    }
> +
>      return l;
>  }
>  
> -- 
> 2.39.1
> 
> 

Reply via email to