From 5071415bd13903a17f92fec3c5db5f3e89b426e8 Mon Sep 17 00:00:00 2001
From: ehofman <ehofman>
Date: Sun, 24 Oct 2004 14:45:52 +0000
Subject: [PATCH] Melchior FRANZ:

input.cxx allocates memory for js->getNumAxes() axes and for jsCaps.wNumButtons
or MAX_JOYSTICK_BUTTONS buttons per joystick. But it doesn't check if some
xml config defines bindings for more axes/buttons, in which case it writes
to unallocated memory and causes crashes. This is a real world example:
sidewinder-force-feed-pro.xml defines 7 axes, but only newer versions of
this js do actually have that many. Older ones (-> gameport) don't. The patch
drops unused and unusable bindings.
---
 src/Input/input.cxx | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/Input/input.cxx b/src/Input/input.cxx
index 55a311e60..2e3c89cca 100644
--- a/src/Input/input.cxx
+++ b/src/Input/input.cxx
@@ -479,6 +479,10 @@ FGInput::_init_joystick ()
           n_axis = num_node->getIntValue(TGT_PLATFORM,n_axis);
       }
 
+      if (n_axis >= naxes) {
+          SG_LOG(SG_INPUT, SG_DEBUG, "Dropping bindings for axis " << n_axis);
+          continue;
+      }
       axis &a = _joystick_bindings[i].axes[n_axis];
 
       js->setDeadBand(n_axis, axis_node->getDoubleValue("dead-band", 0.0));
@@ -512,6 +516,12 @@ FGInput::_init_joystick ()
       if (num_node != 0) {
           n_but = num_node->getIntValue(TGT_PLATFORM,n_but);
       }
+
+      if (n_but >= nbuttons) {
+          SG_LOG(SG_INPUT, SG_DEBUG, "Dropping bindings for button " << n_but);
+          continue;
+      }
+
       sprintf(buf, "%d", n_but);
       SG_LOG(SG_INPUT, SG_DEBUG, "Initializing button " << n_but);
       _init_button(button_node,