alsa-devel.alsa-project.org archive mirror
 help / color / mirror / Atom feed
* [bug report] ALSA: oxfw: Add support for AV/C stream format command to get/set supported stream formation
@ 2017-03-31 13:33 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2017-03-31 13:33 UTC (permalink / raw)
  To: o-takashi; +Cc: alsa-devel

Hello Takashi Sakamoto,

The patch 5b59d8098d2a: "ALSA: oxfw: Add support for AV/C stream
format command to get/set supported stream formation" from Dec 9,
2014, leads to the following static checker warning:

	sound/firewire/oxfw/oxfw-command.c:96 avc_stream_get_format()
	warn: check that subtract can't underflow 'err - 10'

sound/firewire/oxfw/oxfw-command.c
    76          /* do transaction and check buf[1-7] are the same against command */
    77          err = fcp_avc_transaction(unit, buf, 12, buf, *len,
    78                                    BIT(1) | BIT(2) | BIT(3) | BIT(4) | BIT(5) |
    79                                    BIT(6) | BIT(7));
    80          if ((err > 0) && (err < 10))

Assume err is either 0 or 10.

    81                  err = -EIO;
    82          else if (buf[0] == 0x08)        /* NOT IMPLEMENTED */
    83                  err = -ENOSYS;
    84          else if (buf[0] == 0x0a)        /* REJECTED */
    85                  err = -EINVAL;
    86          else if (buf[0] == 0x0b)        /* IN TRANSITION */
    87                  err = -EAGAIN;
    88          /* LIST subfunction has entry ID */
    89          else if ((subfunc == 0xc1) && (buf[10] != eid))

If "err" is 10, doesn't that mean we are reading beyond the end of the
loop here?

    90                  err = -EIO;
    91          if (err < 0)
    92                  goto end;
    93  
    94          /* keep just stream format information */
    95          if (subfunc == 0xc0) {
    96                  memmove(buf, buf + 10, err - 10);

If "err" is 0 then we are going to crash here.

    97                  *len = err - 10;
    98          } else {
    99                  memmove(buf, buf + 11, err - 11);

Basically if "err" is zero we're going to crash one way or another.  But
if err is 10 and we reach this line then we will crash as well.

   100                  *len = err - 11;
   101          }
   102  
   103          err = 0;
   104  end:
   105          return err;
   106  }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2017-03-31 13:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-31 13:33 [bug report] ALSA: oxfw: Add support for AV/C stream format command to get/set supported stream formation Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).