Fix out-of-bounds memory accesses resulting from handleKeyswitchEvent()

pull/189/head
Craig Disselkoen 7 years ago
parent 5facda8a65
commit 44ebeed109

@ -44,6 +44,20 @@ static bool handleKeyswitchEventDefault(Key mappedKey, byte row, byte col, uint8
} }
void handleKeyswitchEvent(Key mappedKey, byte row, byte col, uint8_t keyState) { void handleKeyswitchEvent(Key mappedKey, byte row, byte col, uint8_t keyState) {
/* These first steps are only done for keypresses that have a real (row,col).
* In particular, doing them for keypresses with out-of-bounds (row,col)
* would cause out-of-bounds array accesses in Layer.lookup(),
* Layer.updateLiveCompositeKeymap(), etc.
* Perhaps this check should instead be for INJECTED - I'm not clear on
* whether keypresses with out-of-bounds (row,col) are the same as
* keypresses with INJECTED set, or are a superset or a subset of
* INJECTED keypresses. In any case, the (row,col) test is *safe* in that
* it avoids out-of-bounds accesses, at least in core. (Can't promise
* anything about event handlers - they may still receive out-of-bounds
* (row,col), and handling that properly is on them.)
*/
if (row < ROWS && col < COLS) {
/* If a key had an on or off event, we update the live composite keymap. See /* If a key had an on or off event, we update the live composite keymap. See
* layers.h for an explanation about the different caches we have. */ * layers.h for an explanation about the different caches we have. */
if (keyToggledOn(keyState) || keyToggledOff(keyState)) if (keyToggledOn(keyState) || keyToggledOff(keyState))
@ -68,6 +82,10 @@ void handleKeyswitchEvent(Key mappedKey, byte row, byte col, uint8_t keyState) {
mappedKey = Layer.lookup(row, col); mappedKey = Layer.lookup(row, col);
} }
} // row < ROWS && col < COLS
// Keypresses with out-of-bounds (row,col) start here in the processing chain
for (byte i = 0; Kaleidoscope.eventHandlers[i] != NULL && i < HOOK_MAX; i++) { for (byte i = 0; Kaleidoscope.eventHandlers[i] != NULL && i < HOOK_MAX; i++) {
Kaleidoscope_::eventHandlerHook handler = Kaleidoscope.eventHandlers[i]; Kaleidoscope_::eventHandlerHook handler = Kaleidoscope.eventHandlers[i];
mappedKey = (*handler)(mappedKey, row, col, keyState); mappedKey = (*handler)(mappedKey, row, col, keyState);

Loading…
Cancel
Save