summaryrefslogtreecommitdiffstats
path: root/sound
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2011-03-23 16:42:57 +0100
committerTakashi Iwai <tiwai@suse.de>2011-03-23 22:48:13 +0100
commit4d00135a680727f6c3be78f8befaac009030e4df (patch)
tree730a88b218c6540feda268aa6df5d9ef349abc5a /sound
parentsound/oss: remove offset from load_patch callbacks (diff)
downloadlinux-4d00135a680727f6c3be78f8befaac009030e4df.tar.xz
linux-4d00135a680727f6c3be78f8befaac009030e4df.zip
sound/oss/opl3: validate voice and channel indexes
User-controllable indexes for voice and channel values may cause reading and writing beyond the bounds of their respective arrays, leading to potentially exploitable memory corruption. Validate these indexes. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
-rw-r--r--sound/oss/opl3.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
index cbf957424d5c..407cd677950b 100644
--- a/sound/oss/opl3.c
+++ b/sound/oss/opl3.c
@@ -845,6 +845,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr,
static void opl3_panning(int dev, int voice, int value)
{
+
+ if (voice < 0 || voice >= devc->nr_voice)
+ return;
+
devc->voc[voice].panning = value;
}
@@ -1062,8 +1066,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info
static void opl3_setup_voice(int dev, int voice, int chn)
{
- struct channel_info *info =
- &synth_devs[dev]->chn_info[chn];
+ struct channel_info *info;
+
+ if (voice < 0 || voice >= devc->nr_voice)
+ return;
+
+ if (chn < 0 || chn > 15)
+ return;
+
+ info = &synth_devs[dev]->chn_info[chn];
opl3_set_instr(dev, voice, info->pgm_num);