Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
sound: aedsp16: Buffer overflow
DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
including terminating null.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
authored by Roel Kluin and committed by Takashi Iwai c45ec06c 4be3bd78
+5
-4
sound/oss/aedsp16.c
+5
-4
sound/oss/aedsp16.c
···
325
/*
326
* Size of character arrays that store name and version of sound card
327
*/
328
-
#define CARDNAMELEN 15 /* Size of the card's name in chars */
329
-
#define CARDVERLEN 2 /* Size of the card's version in chars */
330
331
#if defined(CONFIG_SC6600)
332
/*
···
411
412
static int soft_cfg __initdata = 0; /* bitmapped config */
413
static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */
414
-
static int ver[CARDVERLEN] __initdata = {0, 0}; /* DSP Ver:
415
hi->ver[0] lo->ver[1] */
416
417
#if defined(CONFIG_SC6600)
···
958
* string is finished.
959
*/
960
ver[len++] = ret;
961
-
} while (len < CARDVERLEN);
962
sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
963
964
DBG(("success.\n"));
···
325
/*
326
* Size of character arrays that store name and version of sound card
327
*/
328
+
#define CARDNAMELEN 15 /* Size of the card's name in chars */
329
+
#define CARDVERLEN 10 /* Size of the card's version in chars */
330
+
#define CARDVERDIGITS 2 /* Number of digits in the version */
331
332
#if defined(CONFIG_SC6600)
333
/*
···
410
411
static int soft_cfg __initdata = 0; /* bitmapped config */
412
static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */
413
+
static int ver[CARDVERDIGITS] __initdata = {0, 0}; /* DSP Ver:
414
hi->ver[0] lo->ver[1] */
415
416
#if defined(CONFIG_SC6600)
···
957
* string is finished.
958
*/
959
ver[len++] = ret;
960
+
} while (len < CARDVERDIGITS);
961
sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
962
963
DBG(("success.\n"));