Melchior FRANZ:

input.cxx allocates memory for js->getNumAxes() axes and for jsCaps.wNumButtons or MAX_JOYSTICK_BUTTONS buttons per joystick. But it doesn't check if some xml config defines bindings for more axes/buttons, in which case it writes to unallocated memory and causes crashes. This is a real world example: sidewinder-force-feed-pro.xml defines 7 axes, but only newer versions of this js do actually have that many. Older ones (-> gameport) don't. The patch drops unused and unusable bindings.
2004-10-24 14:45:52 +00:00 · 2004-10-24 14:45:52 +00:00 · 5071415bd1
commit 5071415bd1
parent 0ab2a40c2a
1 changed files with 10 additions and 0 deletions
--- a/src/Input/input.cxx
+++ b/src/Input/input.cxx
@ -479,6 +479,10 @@ FGInput::_init_joystick ()
          n_axis = num_node->getIntValue(TGT_PLATFORM,n_axis);
      }

+      if (n_axis >= naxes) {
+          SG_LOG(SG_INPUT, SG_DEBUG, "Dropping bindings for axis " << n_axis);
+          continue;
+      }
      axis &a = _joystick_bindings[i].axes[n_axis];

      js->setDeadBand(n_axis, axis_node->getDoubleValue("dead-band", 0.0));
@ -512,6 +516,12 @@ FGInput::_init_joystick ()
      if (num_node != 0) {
          n_but = num_node->getIntValue(TGT_PLATFORM,n_but);
      }
+
+      if (n_but >= nbuttons) {
+          SG_LOG(SG_INPUT, SG_DEBUG, "Dropping bindings for button " << n_but);
+          continue;
+      }
+
      sprintf(buf, "%d", n_but);
      SG_LOG(SG_INPUT, SG_DEBUG, "Initializing button " << n_but);
      _init_button(button_node,