Potential buffer overread in sync_mt_state
While looking through the changes in libevdev-1.9.0, I noticed it is possible to read past the end of the changes
array in sync_mt_state
if dev->num_slots > MAX_SLOTS
.
A possible fix might be to use min(dev->num_slots, MAX_SLOTS)
here instead.
As a side note, I reverted the changes to use VLAs in mforney/libevdev@master...revert-vla, which also solves the problem. I don't expect that you're interested in this change, so I'll just be maintaining it as a local patch.