Skip to content

Commit

Permalink
Input: pcf8574_keypad - fix off by one in pcf8574_kp_irq_handler()
Browse files Browse the repository at this point in the history 
If nextstate == ARRAY_SIZE(lp->btncode), then we read one past the end of
the array on the next line.

This fixes a smatch warning:
drivers/input/misc/pcf8574_keypad.c +74 pcf8574_kp_irq_handler(8)
	error: buffer overflow 'lp->btncode' 17 <= 17

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
  • Loading branch information
Dan Carpenter authored and Dmitry Torokhov committed Jun 5, 2010
1 parent 3a4b4aa commit 0b75f77
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/input/misc/pcf8574_keypad.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ static irqreturn_t pcf8574_kp_irq_handler(int irq, void *dev_id)
unsigned char nextstate = read_state(lp);

if (lp->laststate != nextstate) {
int key_down = nextstate <= ARRAY_SIZE(lp->btncode);
int key_down = nextstate < ARRAY_SIZE(lp->btncode);
unsigned short keycode = key_down ?
lp->btncode[nextstate] : lp->btncode[lp->laststate];

Expand Down

0 comments on commit 0b75f77

Please sign in to comment.