* [PATCH] ALSA: Write outside array bounds
@ 2009-07-29 10:25 Roel Kluin
2009-07-29 11:31 ` [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write Wu Fengguang
2009-07-30 10:57 ` [PATCH] ALSA: Write outside array bounds Alan Horstmann
0 siblings, 2 replies; 4+ messages in thread
From: Roel Kluin @ 2009-07-29 10:25 UTC (permalink / raw)
To: wfg, tiwai, alsa-devel, Andrew Morton
e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows
the range 0-31
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Found with Parfait, http://research.sun.com/projects/parfait/
diff --git a/sound/pci/hda/hda_eld.c b/sound/pci/hda/hda_eld.c
index fcad5ec..ec04e58 100644
--- a/sound/pci/hda/hda_eld.c
+++ b/sound/pci/hda/hda_eld.c
@@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct snd_info_entry *entry,
sname++;
n = 10 * n + name[4] - '0';
}
- if (n < 0 || n > 31) /* double the CEA limit */
+ if (n < 0 || n > ELD_MAX_SAD)
continue;
if (!strcmp(sname, "_coding_type"))
e->sad[n].format = val;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write
2009-07-29 10:25 [PATCH] ALSA: Write outside array bounds Roel Kluin
@ 2009-07-29 11:31 ` Wu Fengguang
2009-07-29 12:45 ` Takashi Iwai
2009-07-30 10:57 ` [PATCH] ALSA: Write outside array bounds Alan Horstmann
1 sibling, 1 reply; 4+ messages in thread
From: Wu Fengguang @ 2009-07-29 11:31 UTC (permalink / raw)
To: Roel Kluin; +Cc: tiwai, alsa-devel, Andrew Morton
On Wed, Jul 29, 2009 at 12:25:11PM +0200, Roel Kluin wrote:
> e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows
> the range 0-31
Good catch, thank you, Roel!
Minor fix: '>=' should be used in this line:
> + if (n < 0 || n > ELD_MAX_SAD)
So I'd suggest this updated patch.
Thanks,
Fengguang
---
hda: fix out-of-bound hdmi_eld.sad[] write
From: Roel Kluin <roel.kluin@gmail.com>
e->sad[] is declared with size ELD_MAX_SAD=16, but the guard
allows range 0-31.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
---
sound/pci/hda/hda_eld.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- sound-2.6.orig/sound/pci/hda/hda_eld.c
+++ sound-2.6/sound/pci/hda/hda_eld.c
@@ -508,7 +508,7 @@ static void hdmi_write_eld_info(struct s
char name[64];
char *sname;
long long val;
- int n;
+ unsigned int n;
while (!snd_info_get_line(buffer, line, sizeof(line))) {
if (sscanf(line, "%s %llx", name, &val) != 2)
@@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct s
sname++;
n = 10 * n + name[4] - '0';
}
- if (n < 0 || n > 31) /* double the CEA limit */
+ if (n >= ELD_MAX_SAD)
continue;
if (!strcmp(sname, "_coding_type"))
e->sad[n].format = val;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write
2009-07-29 11:31 ` [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write Wu Fengguang
@ 2009-07-29 12:45 ` Takashi Iwai
0 siblings, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2009-07-29 12:45 UTC (permalink / raw)
To: Wu Fengguang; +Cc: alsa-devel, Roel Kluin, Andrew Morton
At Wed, 29 Jul 2009 19:31:14 +0800,
Wu Fengguang wrote:
>
> On Wed, Jul 29, 2009 at 12:25:11PM +0200, Roel Kluin wrote:
> > e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows
> > the range 0-31
>
> Good catch, thank you, Roel!
>
> Minor fix: '>=' should be used in this line:
>
> > + if (n < 0 || n > ELD_MAX_SAD)
>
> So I'd suggest this updated patch.
Applied the updated one now. Thanks.
Takashi
> Thanks,
> Fengguang
> ---
> hda: fix out-of-bound hdmi_eld.sad[] write
>
> From: Roel Kluin <roel.kluin@gmail.com>
>
> e->sad[] is declared with size ELD_MAX_SAD=16, but the guard
> allows range 0-31.
>
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
> ---
> sound/pci/hda/hda_eld.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> --- sound-2.6.orig/sound/pci/hda/hda_eld.c
> +++ sound-2.6/sound/pci/hda/hda_eld.c
> @@ -508,7 +508,7 @@ static void hdmi_write_eld_info(struct s
> char name[64];
> char *sname;
> long long val;
> - int n;
> + unsigned int n;
>
> while (!snd_info_get_line(buffer, line, sizeof(line))) {
> if (sscanf(line, "%s %llx", name, &val) != 2)
> @@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct s
> sname++;
> n = 10 * n + name[4] - '0';
> }
> - if (n < 0 || n > 31) /* double the CEA limit */
> + if (n >= ELD_MAX_SAD)
> continue;
> if (!strcmp(sname, "_coding_type"))
> e->sad[n].format = val;
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ALSA: Write outside array bounds
2009-07-29 10:25 [PATCH] ALSA: Write outside array bounds Roel Kluin
2009-07-29 11:31 ` [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write Wu Fengguang
@ 2009-07-30 10:57 ` Alan Horstmann
1 sibling, 0 replies; 4+ messages in thread
From: Alan Horstmann @ 2009-07-30 10:57 UTC (permalink / raw)
To: Roel Kluin; +Cc: ALSA devel
On Wednesday 29 July 2009 11:25, Roel Kluin wrote:
> e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows
> the range 0-31
>
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> Found with Parfait, http://research.sun.com/projects/parfait/
I've been looking for this tool to evaluate; is it available publically, or do
you have 'privilaged access'?
Thanks
Alan
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-07-30 10:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-29 10:25 [PATCH] ALSA: Write outside array bounds Roel Kluin
2009-07-29 11:31 ` [PATCH v2] hda: fix out-of-bound hdmi_eld.sad[] write Wu Fengguang
2009-07-29 12:45 ` Takashi Iwai
2009-07-30 10:57 ` [PATCH] ALSA: Write outside array bounds Alan Horstmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.