Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Integer overflow in perseus-p-oss #991
There is a suspected integer overflow vulnerability in the tpdbg_write method in drivers/input/touchscreen/ft5x46/ft5x46_ts.c. When the 3rd argument `size' is set to size_t-1, the addition of 1 in kzalloc (line 3807) will result in a wrap around zero because on an integer overflow. kzalloc will return ZERO_SIZE_PTR and since the check checks only for ‘cmd’ equal to NULL (line 3810) it will bypass it. Subsequent dereferencing ZERO_SIZE_PTR (line 3813, 3818) will cause kernel oops.
Additional check for the value of `size' or ZERO_SIZE_PTR is possibly required to fix this issue.