From 5948da237229177e4d9002574daeade18699864b Mon Sep 17 00:00:00 2001
From: Essem <smswessem@gmail.com>
Date: Sat, 13 Jul 2024 20:11:47 -0500
Subject: [PATCH] Fix buffer overflow when zeroing Logitech G815/G915 little
 frame buffer data

---
 .../LogitechG815Controller/RGBController_LogitechG815.cpp       | 2 +-
 .../LogitechG915Controller/RGBController_LogitechG915.cpp       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Controllers/LogitechController/LogitechG815Controller/RGBController_LogitechG815.cpp b/Controllers/LogitechController/LogitechG815Controller/RGBController_LogitechG815.cpp
index fec2bf3b..bb3c3235 100644
--- a/Controllers/LogitechController/LogitechG815Controller/RGBController_LogitechG815.cpp
+++ b/Controllers/LogitechController/LogitechG815Controller/RGBController_LogitechG815.cpp
@@ -467,7 +467,7 @@ void RGBController_LogitechG815::DeviceUpdateLEDs()
         /*-----------------------------------------------------*\
         | Zeroing just what is needed                           |
         \*-----------------------------------------------------*/
-        memset(frame_buffer_little_mode + (led_in_little_frame * 4 + 1), 0x00, sizeof(frame_buffer_little_mode) - led_in_little_frame * 4);
+        memset(frame_buffer_little_mode + (led_in_little_frame * 4 - 1), 0x00, sizeof(frame_buffer_little_mode) - led_in_little_frame * 4);
 
         /*-----------------------------------------------------*\
         | Data byte                                             |
diff --git a/Controllers/LogitechController/LogitechG915Controller/RGBController_LogitechG915.cpp b/Controllers/LogitechController/LogitechG915Controller/RGBController_LogitechG915.cpp
index c302ead5..77508c84 100644
--- a/Controllers/LogitechController/LogitechG915Controller/RGBController_LogitechG915.cpp
+++ b/Controllers/LogitechController/LogitechG915Controller/RGBController_LogitechG915.cpp
@@ -527,7 +527,7 @@ void RGBController_LogitechG915::DeviceUpdateLEDs()
         /*-----------------------------------------------------*\
         | Zeroing just what is needed                           |
         \*-----------------------------------------------------*/
-        memset(frame_buffer_little_mode + (led_in_little_frame * 4 + 1), 0x00, sizeof(frame_buffer_little_mode) - led_in_little_frame * 4);
+        memset(frame_buffer_little_mode + (led_in_little_frame * 4 - 1), 0x00, sizeof(frame_buffer_little_mode) - led_in_little_frame * 4);
 
         /*-----------------------------------------------------*\
         | Data byte                                             |