From: Dan Carpenter <dan.carpenter@oracle.com>
To: o-takashi@sakamocchi.jp
Cc: alsa-devel@alsa-project.org
Subject: [bug report] ALSA: oxfw: Add support for AV/C stream format command to get/set supported stream formation
Date: Fri, 31 Mar 2017 16:33:03 +0300 [thread overview]
Message-ID: <20170331133302.GA11166@mwanda> (raw)
Hello Takashi Sakamoto,
The patch 5b59d8098d2a: "ALSA: oxfw: Add support for AV/C stream
format command to get/set supported stream formation" from Dec 9,
2014, leads to the following static checker warning:
sound/firewire/oxfw/oxfw-command.c:96 avc_stream_get_format()
warn: check that subtract can't underflow 'err - 10'
sound/firewire/oxfw/oxfw-command.c
76 /* do transaction and check buf[1-7] are the same against command */
77 err = fcp_avc_transaction(unit, buf, 12, buf, *len,
78 BIT(1) | BIT(2) | BIT(3) | BIT(4) | BIT(5) |
79 BIT(6) | BIT(7));
80 if ((err > 0) && (err < 10))
Assume err is either 0 or 10.
81 err = -EIO;
82 else if (buf[0] == 0x08) /* NOT IMPLEMENTED */
83 err = -ENOSYS;
84 else if (buf[0] == 0x0a) /* REJECTED */
85 err = -EINVAL;
86 else if (buf[0] == 0x0b) /* IN TRANSITION */
87 err = -EAGAIN;
88 /* LIST subfunction has entry ID */
89 else if ((subfunc == 0xc1) && (buf[10] != eid))
If "err" is 10, doesn't that mean we are reading beyond the end of the
loop here?
90 err = -EIO;
91 if (err < 0)
92 goto end;
93
94 /* keep just stream format information */
95 if (subfunc == 0xc0) {
96 memmove(buf, buf + 10, err - 10);
If "err" is 0 then we are going to crash here.
97 *len = err - 10;
98 } else {
99 memmove(buf, buf + 11, err - 11);
Basically if "err" is zero we're going to crash one way or another. But
if err is 10 and we reach this line then we will crash as well.
100 *len = err - 11;
101 }
102
103 err = 0;
104 end:
105 return err;
106 }
regards,
dan carpenter
reply other threads:[~2017-03-31 13:33 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170331133302.GA11166@mwanda \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=o-takashi@sakamocchi.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).