diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-09-13 10:44:44 +0300 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2013-09-13 14:31:51 +0200 |
commit | 0c21fccd97f0ff58e6e9699370a09f6ec8946061 (patch) | |
tree | 75f54f5361d4869e817a6cca38a62c9e73256d0b | |
parent | 3d0049e8529adaa36c38a7b400792f6c37b66c92 (diff) | |
download | linux-0c21fccd97f0ff58e6e9699370a09f6ec8946061.tar.bz2 |
ALSA: asihpi: a couple array out of bounds issues
These ->put() functions are called from snd_ctl_elem_write() with user
supplied data. snd_asihpi_tuner_band_put() is missing a limit check and
the check in snd_asihpi_clksrc_put() can underflow.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
-rw-r--r-- | sound/pci/asihpi/asihpi.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sound/pci/asihpi/asihpi.c b/sound/pci/asihpi/asihpi.c index dc632cdc3870..5f2acd35dcb9 100644 --- a/sound/pci/asihpi/asihpi.c +++ b/sound/pci/asihpi/asihpi.c @@ -1913,6 +1913,7 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol, struct snd_card_asihpi *asihpi = snd_kcontrol_chip(kcontrol); */ u32 h_control = kcontrol->private_value; + unsigned int idx; u16 band; u16 tuner_bands[HPI_TUNER_BAND_LAST]; u32 num_bands = 0; @@ -1920,7 +1921,10 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol, num_bands = asihpi_tuner_band_query(kcontrol, tuner_bands, HPI_TUNER_BAND_LAST); - band = tuner_bands[ucontrol->value.enumerated.item[0]]; + idx = ucontrol->value.enumerated.item[0]; + if (idx >= ARRAY_SIZE(tuner_bands)) + idx = ARRAY_SIZE(tuner_bands) - 1; + band = tuner_bands[idx]; hpi_handle_error(hpi_tuner_set_band(h_control, band)); return 1; @@ -2383,7 +2387,8 @@ static int snd_asihpi_clksrc_put(struct snd_kcontrol *kcontrol, struct snd_card_asihpi *asihpi = (struct snd_card_asihpi *)(kcontrol->private_data); struct clk_cache *clkcache = &asihpi->cc; - int change, item; + unsigned int item; + int change; u32 h_control = kcontrol->private_value; change = 1; |