input_id: Avoid memory overflow with too long capability masks

Joey Lee <jlee@novell.com> reported a problem on an MSI laptop which reports a
too long capabilities/key:

E: EV==3
E: KEY==180000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

This is longer than KEY_MAX and thus caused a memory overflow. Guard against
this now and just ignore the excess blocks.

diff --git a/extras/input_id/input_id.c b/extras/input_id/input_id.c
index 20191599d1a46cf94bf83210524f41051a77d823..b2d4a6770af5be860de1ce0f1c5b87a97a08e1ce 100644 (file)
--- a/extras/input_id/input_id.c
+++ b/extras/input_id/input_id.c
@@ -61,12 +61,18 @@ static void get_cap_mask (struct udev_device *dev, const char* attr,
        i = 0;
        while ((word = strrchr(text, ' ')) != NULL) {
                val = strtoul (word+1, NULL, 16);
-               bitmask[i] = val;
+               if (i < bitmask_size/sizeof(unsigned long))
+                       bitmask[i] = val;
+               else
+                       DBG("Ignoring %s block %lX which is larger than maximum size\n", attr, val);
                *word = '\0';
                ++i;
        }
        val = strtoul (text, NULL, 16);
-       bitmask[i] = val;
+       if (i < bitmask_size/sizeof(unsigned long))
+               bitmask[i] = val;
+       else
+               DBG("Ignoring %s block %lX which is larger than maximum size\n", attr, val);
 
        if (debug) {
                /* printf pattern with the right unsigned long number of hex chars */