ALSA: isa/wavefront: prevent some out of bound writes

"header->number" can be up to USHRT_MAX and it comes from the ioctl so
it needs to be capped.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Dan Carpenter 2016-05-04 09:27:37 +03:00 committed by Takashi Iwai
parent e4ec8cc803
commit 84d7a4470d

View File

@ -785,6 +785,9 @@ wavefront_send_patch (snd_wavefront_t *dev, wavefront_patch_info *header)
DPRINT (WF_DEBUG_LOAD_PATCH, "downloading patch %d\n",
header->number);
if (header->number >= ARRAY_SIZE(dev->patch_status))
return -EINVAL;
dev->patch_status[header->number] |= WF_SLOT_FILLED;
bptr = buf;
@ -809,6 +812,9 @@ wavefront_send_program (snd_wavefront_t *dev, wavefront_patch_info *header)
DPRINT (WF_DEBUG_LOAD_PATCH, "downloading program %d\n",
header->number);
if (header->number >= ARRAY_SIZE(dev->prog_status))
return -EINVAL;
dev->prog_status[header->number] = WF_SLOT_USED;
/* XXX need to zero existing SLOT_USED bit for program_status[i]
@ -898,6 +904,9 @@ wavefront_send_sample (snd_wavefront_t *dev,
header->number = x;
}
if (header->number >= WF_MAX_SAMPLE)
return -EINVAL;
if (header->size) {
/* XXX it's a debatable point whether or not RDONLY semantics