From bc0ed7eefde06a804f1f74116df9a892ecd69cc1 Mon Sep 17 00:00:00 2001
From: Chase Douglas <chase.douglas@canonical.com>
Date: Mon, 9 Apr 2012 11:33:41 -0700
Subject: [PATCH] Fix crash on Apple trackpads when touching with more than 10
 fingers (LP: #974017)

* Fix crash on Apple trackpads when touching with more than 10 fingers
  (LP: #974017)
  - Add temporary patch 202_touch_record_bounds_check.patch
---
 debian/changelog                                   |    8 +++++
 debian/patches/202_touch_record_bounds_check.patch |   33 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 3 files changed, 42 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/202_touch_record_bounds_check.patch

diff --git a/debian/changelog b/debian/changelog
index 80237c3..0984ed1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+xserver-xorg-input-synaptics (1.5.99.902-0ubuntu3) UNRELEASED; urgency=low
+
+  * Fix crash on Apple trackpads when touching with more than 10 fingers
+    (LP: #974017)
+    - Add temporary patch 202_touch_record_bounds_check.patch
+
+ -- Chase Douglas <chase.douglas@ubuntu.com>  Mon, 09 Apr 2012 11:32:34 -0700
+
 xserver-xorg-input-synaptics (1.5.99.902-0ubuntu2) precise; urgency=low
 
   * Fix three touch taps and clicks on some trackpads (LP: #971783)
diff --git a/debian/patches/202_touch_record_bounds_check.patch b/debian/patches/202_touch_record_bounds_check.patch
new file mode 100644
index 0000000..68d1f47
--- /dev/null
+++ b/debian/patches/202_touch_record_bounds_check.patch
@@ -0,0 +1,33 @@
+From ddc94b7850b357364b2fd63e4047f594ab21e48f Mon Sep 17 00:00:00 2001
+From: Chase Douglas <chase.douglas@canonical.com>
+Date: Mon, 9 Apr 2012 11:29:15 -0700
+Subject: [PATCH] Check touch record bounds before access
+
+We guess ten simultaneous touches if the device does not tell us. The
+Linux drivers for the Apple multitouch trackpads do not tell the number
+of simultaneous touches, but they can do more than ten. When this
+occurs, the array index into the touch records will be invalid. We must
+not process the touch or else we will segfault.
+
+Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
+---
+ src/eventcomm.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/src/eventcomm.c b/src/eventcomm.c
+index 3ceb98c..9d1233c 100644
+--- a/src/eventcomm.c
++++ b/src/eventcomm.c
+@@ -564,6 +564,9 @@ EventProcessTouchEvent(InputInfoPtr pInfo, struct SynapticsHwState *hw,
+     {
+         int slot_index = last_mt_vals_slot(priv);
+ 
++        if (slot_index < 0)
++            return;
++
+         if (hw->slot_state[slot_index] == SLOTSTATE_EMPTY ||
+             hw->slot_state[slot_index] == SLOTSTATE_OPEN_EMPTY)
+             hw->slot_state[slot_index] = SLOTSTATE_UPDATE;
+-- 
+1.7.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 06f6c8e..5045611 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@
 # Temporary patches until they are merged upstream
 200_fix_four_tap.patch
 201_fix_touch_count.patch
+202_touch_record_bounds_check.patch
-- 
1.7.9.1