From 9e68177ef93b2f34eee5a1e1707bceef4b9ba69c Mon Sep 17 00:00:00 2001 From: Jussi Kivilinna Date: Thu, 7 May 2009 17:14:21 -0700 Subject: Input: ff-memless - fix signed to unsigned bit overflow When userspace sets effect->u.rumble.strong_magnitude to 0x8001 or larger, ml_combine_effects() would always return strong_magnitude 0xffff. Problem is that 'gain' is passed in as signed integer. Multiplying magnitude (__u16) with gain (int) causes magnitude read as signed and results negative value (with magnitude > 0x8000). This signed integer is then divided and value, still negative, converted to 32bit unsigned integer. Finally checking combine overflow min(new+old, 0xffff) gives out 0xffff. Fix is to simply change 'gain' to unsigned int. Signed-off-by: Jussi Kivilinna Acked-by: Anssi Hannula Signed-off-by: Dmitry Torokhov --- drivers/input/ff-memless.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/input/ff-memless.c b/drivers/input/ff-memless.c index bc4e40f..2d1415e 100644 --- a/drivers/input/ff-memless.c +++ b/drivers/input/ff-memless.c @@ -226,7 +226,7 @@ static int get_compatible_type(struct ff_device *ff, int effect_type) */ static void ml_combine_effects(struct ff_effect *effect, struct ml_effect_state *state, - int gain) + unsigned int gain) { struct ff_effect *new = state->effect; unsigned int strong, weak, i; -- cgit v1.1