1. Patchew
  2. linux
  3. View series

[PATCH] Input: gf2k: clamp hat values to the lookup table

Pengpeng Hou posted 1 patch 1 week, 4 days ago 
drivers/input/joystick/gf2k.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH] Input: gf2k: clamp hat values to the lookup table
Posted by Pengpeng Hou 1 week, 4 days ago 
gf2k_read() decodes the hat position from a 4-bit field and uses it
directly to index gf2k_hat_to_axis[]. The lookup table only has nine
entries, so malformed packets can read past the end of the fixed table.

Clamp invalid hat values to the neutral position before indexing the
lookup table.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/input/joystick/gf2k.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/input/joystick/gf2k.c b/drivers/input/joystick/gf2k.c
index 5a1cdce0bc48..78fba36285dc 100644
--- a/drivers/input/joystick/gf2k.c
+++ b/drivers/input/joystick/gf2k.c
@@ -164,6 +164,8 @@ static void gf2k_read(struct gf2k *gf2k, unsigned char *data)
 		input_report_abs(dev, gf2k_abs[i], GB(i*9+60,8,0) | GB(i+54,1,9));
 
 	t = GB(40,4,0);
+	if (t >= ARRAY_SIZE(gf2k_hat_to_axis))
+		t = 0;
 
 	for (i = 0; i < gf2k_hats[gf2k->id]; i++)
 		input_report_abs(dev, ABS_HAT0X + i, gf2k_hat_to_axis[t][i]);
-- 
2.50.1 (Apple Git-155)
Re: [PATCH] Input: gf2k: clamp hat values to the lookup table
Posted by Dmitry Torokhov 1 week, 2 days ago 
On Mon, Mar 23, 2026 at 03:45:41PM +0800, Pengpeng Hou wrote:
> gf2k_read() decodes the hat position from a 4-bit field and uses it
> directly to index gf2k_hat_to_axis[]. The lookup table only has nine
> entries, so malformed packets can read past the end of the fixed table.
> 
> Clamp invalid hat values to the neutral position before indexing the
> lookup table.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  drivers/input/joystick/gf2k.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/input/joystick/gf2k.c b/drivers/input/joystick/gf2k.c
> index 5a1cdce0bc48..78fba36285dc 100644
> --- a/drivers/input/joystick/gf2k.c
> +++ b/drivers/input/joystick/gf2k.c
> @@ -164,6 +164,8 @@ static void gf2k_read(struct gf2k *gf2k, unsigned char *data)
>  		input_report_abs(dev, gf2k_abs[i], GB(i*9+60,8,0) | GB(i+54,1,9));
>  
>  	t = GB(40,4,0);
> +	if (t >= ARRAY_SIZE(gf2k_hat_to_axis))
> +		t = 0;

I think if "t" is too bug we should skip the loop instead of reporting
the first axis.

>  
>  	for (i = 0; i < gf2k_hats[gf2k->id]; i++)
>  		input_report_abs(dev, ABS_HAT0X + i, gf2k_hat_to_axis[t][i]);

Thanks.

-- 
Dmitry

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.