On 230329 0542, Alexander Bulekov wrote:
> On 230213 1841, Mauro Matteo Cascella wrote:
> > The guest can control the size of buf; an OOB write occurs when buf is 1 or
> > 2
> > bytes long. Only fill in the buffer as long as there is enough space, throw
> > away any data which doesn't fit.
> >
> > Signed-off-by: Mauro Matteo Cascella <[email protected]>
>
> Tested-by: Alexander Bulekov <[email protected]>
>
> Thanks
>
Ping. I don't think this made it in yet?
> > ---
> > hw/usb/dev-wacom.c | 20 +++++++++++++-------
> > 1 file changed, 13 insertions(+), 7 deletions(-)
> >
> > diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
> > index 7177c17f03..ca9e6aa82f 100644
> > --- a/hw/usb/dev-wacom.c
> > +++ b/hw/usb/dev-wacom.c
> > @@ -252,14 +252,20 @@ static int usb_mouse_poll(USBWacomState *s, uint8_t
> > *buf, int len)
> > if (s->buttons_state & MOUSE_EVENT_MBUTTON)
> > b |= 0x04;
> >
> > - buf[0] = b;
> > - buf[1] = dx;
> > - buf[2] = dy;
> > - l = 3;
> > - if (len >= 4) {
> > - buf[3] = dz;
> > - l = 4;
> > + l = 0;
> > + if (len > l) {
> > + buf[l++] = b;
> > }
> > + if (len > l) {
> > + buf[l++] = dx;
> > + }
> > + if (len > l) {
> > + buf[l++] = dy;
> > + }
> > + if (len > l) {
> > + buf[l++] = dz;
> > + }
> > +
> > return l;
> > }
> >
> > --
> > 2.39.1
> >
> >
