[patch] ALSA: seq_midi_emul: small array underflow

kernel-janitors.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch] ALSA: seq_midi_emul: small array underflow
@ 2015-03-03  9:38 Dan Carpenter
  2015-03-03 11:21 ` [alsa-devel] " Clemens Ladisch
  0 siblings, 1 reply; 6+ messages in thread
From: Dan Carpenter @ 2015-03-03  9:38 UTC (permalink / raw)
  To: Jaroslav Kysela; +Cc: Takashi Iwai, alsa-devel, kernel-janitors

In snd_opl3_calc_pitch() then the limit is:

	if (pitchbend > 0x1FFF)
		pitchbend = 0x1FFF;

But it can underflow meaning that segment can be as low as
SHORT_MIN / 0x1000 and we can read 6 elements before the start of the
opl3_note_table[] array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/include/sound/seq_midi_emul.h b/include/sound/seq_midi_emul.h
index 8139d8c..c02b840 100644
--- a/include/sound/seq_midi_emul.h
+++ b/include/sound/seq_midi_emul.h
@@ -44,7 +44,7 @@ struct snd_midi_channel {
 	unsigned char midi_aftertouch;	/* Aftertouch (key pressure) */
 	unsigned char midi_pressure;	/* Channel pressure */
 	unsigned char midi_program;	/* Instrument number */
-	short midi_pitchbend;		/* Pitch bend amount */
+	unsigned short midi_pitchbend;	/* Pitch bend amount */
 
 	unsigned char control[128];	/* Current value of all controls */
 	unsigned char note[128];	/* Current status for all notes */

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [alsa-devel] [patch] ALSA: seq_midi_emul: small array underflow
  2015-03-03  9:38 [patch] ALSA: seq_midi_emul: small array underflow Dan Carpenter
@ 2015-03-03 11:21 ` Clemens Ladisch
  2015-03-03 11:38   ` Dan Carpenter
  2015-03-03 19:13   ` [patch v2] ALSA: opl3: " Dan Carpenter
  0 siblings, 2 replies; 6+ messages in thread
From: Clemens Ladisch @ 2015-03-03 11:21 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Jaroslav Kysela, Takashi Iwai, alsa-devel, kernel-janitors

Dan Carpenter wrote:
> In snd_opl3_calc_pitch() then the limit is:
>
> 	if (pitchbend > 0x1FFF)
> 		pitchbend = 0x1FFF;
>
> But it can underflow meaning that segment can be as low as
> SHORT_MIN / 0x1000 and we can read 6 elements before the start of the
> opl3_note_table[] array.

> -	short midi_pitchbend;		/* Pitch bend amount */
> +	unsigned short midi_pitchbend;	/* Pitch bend amount */

Pitch bend is a signed 14-bit value.  What is wrong is the missing
check for the lower bound.


Regards,
Clemens

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [alsa-devel] [patch] ALSA: seq_midi_emul: small array underflow
  2015-03-03 11:21 ` [alsa-devel] " Clemens Ladisch
@ 2015-03-03 11:38   ` Dan Carpenter
  2015-03-03 19:13   ` [patch v2] ALSA: opl3: " Dan Carpenter
  1 sibling, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2015-03-03 11:38 UTC (permalink / raw)
  To: Clemens Ladisch
  Cc: Jaroslav Kysela, Takashi Iwai, alsa-devel, kernel-janitors

On Tue, Mar 03, 2015 at 12:21:34PM +0100, Clemens Ladisch wrote:
> Dan Carpenter wrote:
> > In snd_opl3_calc_pitch() then the limit is:
> >
> > 	if (pitchbend > 0x1FFF)
> > 		pitchbend = 0x1FFF;
> >
> > But it can underflow meaning that segment can be as low as
> > SHORT_MIN / 0x1000 and we can read 6 elements before the start of the
> > opl3_note_table[] array.
> 
> > -	short midi_pitchbend;		/* Pitch bend amount */
> > +	unsigned short midi_pitchbend;	/* Pitch bend amount */
> 
> Pitch bend is a signed 14-bit value.  What is wrong is the missing
> check for the lower bound.
> 

Thanks for the review.  I will resend.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [patch v2] ALSA: opl3: small array underflow
  2015-03-03 11:21 ` [alsa-devel] " Clemens Ladisch
  2015-03-03 11:38   ` Dan Carpenter
@ 2015-03-03 19:13   ` Dan Carpenter
  2015-03-03 20:59     ` [alsa-devel] " Clemens Ladisch
  1 sibling, 1 reply; 6+ messages in thread
From: Dan Carpenter @ 2015-03-03 19:13 UTC (permalink / raw)
  To: Jaroslav Kysela; +Cc: Takashi Iwai, alsa-devel, kernel-janitors

We don't check for negatives so "pitchbend" can be SHRT_MIN here.  It
means that we can read up to 6 elements before the start of the
opl3_note_table[] array.

There are several ways we could fix this.  I have gone with what is
maybe the lazier approach of just changing negative values to zero.
Hopefully, people aren't passing negatives here anyway.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: The first patch just chan->midi_pitchbend unsigned but Clemens
Ladisch pointed out that that breaks the API.

diff --git a/sound/drivers/opl3/opl3_midi.c b/sound/drivers/opl3/opl3_midi.c
index f62780e..0cb91dc 100644
--- a/sound/drivers/opl3/opl3_midi.c
+++ b/sound/drivers/opl3/opl3_midi.c
@@ -105,6 +105,8 @@ static void snd_opl3_calc_pitch(unsigned char *fnum, unsigned char *blocknum,
 		int pitchbend = chan->midi_pitchbend;
 		int segment;
 
+		if (pitchbend < 0)
+			pitchbend = 0;
 		if (pitchbend > 0x1FFF)
 			pitchbend = 0x1FFF;
 

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [alsa-devel] [patch v2] ALSA: opl3: small array underflow
  2015-03-03 19:13   ` [patch v2] ALSA: opl3: " Dan Carpenter
@ 2015-03-03 20:59     ` Clemens Ladisch
  2015-03-03 21:06       ` Dan Carpenter
  0 siblings, 1 reply; 6+ messages in thread
From: Clemens Ladisch @ 2015-03-03 20:59 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Jaroslav Kysela, Takashi Iwai, alsa-devel, kernel-janitors

Dan Carpenter wrote:
> We don't check for negatives so "pitchbend" can be SHRT_MIN here.  It
> means that we can read up to 6 elements before the start of the
> opl3_note_table[] array.
>
> There are several ways we could fix this.  I have gone with what is
> maybe the lazier approach of just changing negative values to zero.

The lower bound is not zero but -8192.


Regards,
Clemens

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [alsa-devel] [patch v2] ALSA: opl3: small array underflow
  2015-03-03 20:59     ` [alsa-devel] " Clemens Ladisch
@ 2015-03-03 21:06       ` Dan Carpenter
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2015-03-03 21:06 UTC (permalink / raw)
  To: Clemens Ladisch
  Cc: Jaroslav Kysela, Takashi Iwai, alsa-devel, kernel-janitors

On Tue, Mar 03, 2015 at 09:59:17PM +0100, Clemens Ladisch wrote:
> Dan Carpenter wrote:
> > We don't check for negatives so "pitchbend" can be SHRT_MIN here.  It
> > means that we can read up to 6 elements before the start of the
> > opl3_note_table[] array.
> >
> > There are several ways we could fix this.  I have gone with what is
> > maybe the lazier approach of just changing negative values to zero.
> 
> The lower bound is not zero but -8192.

Oh.  I should have understood that from your previous email.  Sorry for
that.  Third time is lucky, I suppose.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2015-03-03 21:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-03  9:38 [patch] ALSA: seq_midi_emul: small array underflow Dan Carpenter
2015-03-03 11:21 ` [alsa-devel] " Clemens Ladisch
2015-03-03 11:38   ` Dan Carpenter
2015-03-03 19:13   ` [patch v2] ALSA: opl3: " Dan Carpenter
2015-03-03 20:59     ` [alsa-devel] " Clemens Ladisch
2015-03-03 21:06       ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).