summaryrefslogtreecommitdiffstats
path: root/sound/isa/wavefront
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2016-05-04 08:27:37 +0200
committerTakashi Iwai <tiwai@suse.de>2016-05-08 11:39:44 +0200
commit84d7a4470dbac0dd9389050100b54a1625d04264 (patch)
tree19fbd6b26fc3fc8c7bce4f3441c44f518abd46e0 /sound/isa/wavefront
parentALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (diff)
downloadlinux-84d7a4470dbac0dd9389050100b54a1625d04264.tar.xz
linux-84d7a4470dbac0dd9389050100b54a1625d04264.zip
ALSA: isa/wavefront: prevent some out of bound writes
"header->number" can be up to USHRT_MAX and it comes from the ioctl so it needs to be capped. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/isa/wavefront')
-rw-r--r--sound/isa/wavefront/wavefront_synth.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
index 69f76ff5693d..718d5e3b7806 100644
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -785,6 +785,9 @@ wavefront_send_patch (snd_wavefront_t *dev, wavefront_patch_info *header)
DPRINT (WF_DEBUG_LOAD_PATCH, "downloading patch %d\n",
header->number);
+ if (header->number >= ARRAY_SIZE(dev->patch_status))
+ return -EINVAL;
+
dev->patch_status[header->number] |= WF_SLOT_FILLED;
bptr = buf;
@@ -809,6 +812,9 @@ wavefront_send_program (snd_wavefront_t *dev, wavefront_patch_info *header)
DPRINT (WF_DEBUG_LOAD_PATCH, "downloading program %d\n",
header->number);
+ if (header->number >= ARRAY_SIZE(dev->prog_status))
+ return -EINVAL;
+
dev->prog_status[header->number] = WF_SLOT_USED;
/* XXX need to zero existing SLOT_USED bit for program_status[i]
@@ -898,6 +904,9 @@ wavefront_send_sample (snd_wavefront_t *dev,
header->number = x;
}
+ if (header->number >= WF_MAX_SAMPLE)
+ return -EINVAL;
+
if (header->size) {
/* XXX it's a debatable point whether or not RDONLY semantics