forked from Minki/linux
ALSA: isa/wavefront: prevent some out of bound writes
"header->number" can be up to USHRT_MAX and it comes from the ioctl so it needs to be capped. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
parent
e4ec8cc803
commit
84d7a4470d
@ -785,6 +785,9 @@ wavefront_send_patch (snd_wavefront_t *dev, wavefront_patch_info *header)
|
||||
DPRINT (WF_DEBUG_LOAD_PATCH, "downloading patch %d\n",
|
||||
header->number);
|
||||
|
||||
if (header->number >= ARRAY_SIZE(dev->patch_status))
|
||||
return -EINVAL;
|
||||
|
||||
dev->patch_status[header->number] |= WF_SLOT_FILLED;
|
||||
|
||||
bptr = buf;
|
||||
@ -809,6 +812,9 @@ wavefront_send_program (snd_wavefront_t *dev, wavefront_patch_info *header)
|
||||
DPRINT (WF_DEBUG_LOAD_PATCH, "downloading program %d\n",
|
||||
header->number);
|
||||
|
||||
if (header->number >= ARRAY_SIZE(dev->prog_status))
|
||||
return -EINVAL;
|
||||
|
||||
dev->prog_status[header->number] = WF_SLOT_USED;
|
||||
|
||||
/* XXX need to zero existing SLOT_USED bit for program_status[i]
|
||||
@ -898,6 +904,9 @@ wavefront_send_sample (snd_wavefront_t *dev,
|
||||
header->number = x;
|
||||
}
|
||||
|
||||
if (header->number >= WF_MAX_SAMPLE)
|
||||
return -EINVAL;
|
||||
|
||||
if (header->size) {
|
||||
|
||||
/* XXX it's a debatable point whether or not RDONLY semantics
|
||||
|
Loading…
Reference in New Issue
Block a user