* [PATCH] ALSA: Write outside array bounds @ 2009-07-29 10:25 Roel Kluin 2009-07-29 11:31 ` [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write Wu Fengguang 2009-07-30 10:57 ` [PATCH] ALSA: Write outside array bounds Alan Horstmann 0 siblings, 2 replies; 4+ messages in thread From: Roel Kluin @ 2009-07-29 10:25 UTC (permalink / raw) To: wfg, tiwai, alsa-devel, Andrew Morton e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows the range 0-31 Signed-off-by: Roel Kluin <roel.kluin@gmail.com> --- Found with Parfait, http://research.sun.com/projects/parfait/ diff --git a/sound/pci/hda/hda_eld.c b/sound/pci/hda/hda_eld.c index fcad5ec..ec04e58 100644 --- a/sound/pci/hda/hda_eld.c +++ b/sound/pci/hda/hda_eld.c @@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct snd_info_entry *entry, sname++; n = 10 * n + name[4] - '0'; } - if (n < 0 || n > 31) /* double the CEA limit */ + if (n < 0 || n > ELD_MAX_SAD) continue; if (!strcmp(sname, "_coding_type")) e->sad[n].format = val; ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write 2009-07-29 10:25 [PATCH] ALSA: Write outside array bounds Roel Kluin @ 2009-07-29 11:31 ` Wu Fengguang 2009-07-29 12:45 ` Takashi Iwai 2009-07-30 10:57 ` [PATCH] ALSA: Write outside array bounds Alan Horstmann 1 sibling, 1 reply; 4+ messages in thread From: Wu Fengguang @ 2009-07-29 11:31 UTC (permalink / raw) To: Roel Kluin; +Cc: tiwai, alsa-devel, Andrew Morton On Wed, Jul 29, 2009 at 12:25:11PM +0200, Roel Kluin wrote: > e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows > the range 0-31 Good catch, thank you, Roel! Minor fix: '>=' should be used in this line: > + if (n < 0 || n > ELD_MAX_SAD) So I'd suggest this updated patch. Thanks, Fengguang --- hda: fix out-of-bound hdmi_eld.sad[] write From: Roel Kluin <roel.kluin@gmail.com> e->sad[] is declared with size ELD_MAX_SAD=16, but the guard allows range 0-31. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Wu Fengguang <fengguang.wu@intel.com> --- sound/pci/hda/hda_eld.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- sound-2.6.orig/sound/pci/hda/hda_eld.c +++ sound-2.6/sound/pci/hda/hda_eld.c @@ -508,7 +508,7 @@ static void hdmi_write_eld_info(struct s char name[64]; char *sname; long long val; - int n; + unsigned int n; while (!snd_info_get_line(buffer, line, sizeof(line))) { if (sscanf(line, "%s %llx", name, &val) != 2) @@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct s sname++; n = 10 * n + name[4] - '0'; } - if (n < 0 || n > 31) /* double the CEA limit */ + if (n >= ELD_MAX_SAD) continue; if (!strcmp(sname, "_coding_type")) e->sad[n].format = val; ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write 2009-07-29 11:31 ` [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write Wu Fengguang @ 2009-07-29 12:45 ` Takashi Iwai 0 siblings, 0 replies; 4+ messages in thread From: Takashi Iwai @ 2009-07-29 12:45 UTC (permalink / raw) To: Wu Fengguang; +Cc: alsa-devel, Roel Kluin, Andrew Morton At Wed, 29 Jul 2009 19:31:14 +0800, Wu Fengguang wrote: > > On Wed, Jul 29, 2009 at 12:25:11PM +0200, Roel Kluin wrote: > > e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows > > the range 0-31 > > Good catch, thank you, Roel! > > Minor fix: '>=' should be used in this line: > > > + if (n < 0 || n > ELD_MAX_SAD) > > So I'd suggest this updated patch. Applied the updated one now. Thanks. Takashi > Thanks, > Fengguang > --- > hda: fix out-of-bound hdmi_eld.sad[] write > > From: Roel Kluin <roel.kluin@gmail.com> > > e->sad[] is declared with size ELD_MAX_SAD=16, but the guard > allows range 0-31. > > Signed-off-by: Roel Kluin <roel.kluin@gmail.com> > Signed-off-by: Wu Fengguang <fengguang.wu@intel.com> > --- > sound/pci/hda/hda_eld.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > --- sound-2.6.orig/sound/pci/hda/hda_eld.c > +++ sound-2.6/sound/pci/hda/hda_eld.c > @@ -508,7 +508,7 @@ static void hdmi_write_eld_info(struct s > char name[64]; > char *sname; > long long val; > - int n; > + unsigned int n; > > while (!snd_info_get_line(buffer, line, sizeof(line))) { > if (sscanf(line, "%s %llx", name, &val) != 2) > @@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct s > sname++; > n = 10 * n + name[4] - '0'; > } > - if (n < 0 || n > 31) /* double the CEA limit */ > + if (n >= ELD_MAX_SAD) > continue; > if (!strcmp(sname, "_coding_type")) > e->sad[n].format = val; > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ALSA: Write outside array bounds 2009-07-29 10:25 [PATCH] ALSA: Write outside array bounds Roel Kluin 2009-07-29 11:31 ` [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write Wu Fengguang @ 2009-07-30 10:57 ` Alan Horstmann 1 sibling, 0 replies; 4+ messages in thread From: Alan Horstmann @ 2009-07-30 10:57 UTC (permalink / raw) To: Roel Kluin; +Cc: ALSA devel On Wednesday 29 July 2009 11:25, Roel Kluin wrote: > e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows > the range 0-31 > > Signed-off-by: Roel Kluin <roel.kluin@gmail.com> > --- > Found with Parfait, http://research.sun.com/projects/parfait/ I've been looking for this tool to evaluate; is it available publically, or do you have 'privilaged access'? Thanks Alan ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-07-30 10:45 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-07-29 10:25 [PATCH] ALSA: Write outside array bounds Roel Kluin 2009-07-29 11:31 ` [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write Wu Fengguang 2009-07-29 12:45 ` Takashi Iwai 2009-07-30 10:57 ` [PATCH] ALSA: Write outside array bounds Alan Horstmann
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.