* sound/pci/hda/patch_via.c: array overflow
@ 2007-10-19 12:57 Adrian Bunk
2007-10-22 14:07 ` Takashi Iwai
0 siblings, 1 reply; 2+ messages in thread
From: Adrian Bunk @ 2007-10-19 12:57 UTC (permalink / raw)
To: perex; +Cc: linux-kernel
sound/pci/hda/patch_via.c contains the following code:
<-- snip -->
...
struct via_spec {
...
hda_nid_t private_dac_nids[4];
... ^^^
};
...
static int vt1709_auto_fill_dac_nids(struct via_spec *spec,
const struct auto_pin_cfg *cfg)
{
...
spec->multiout.dac_nids = spec->private_dac_nids;
if (cfg->line_outs == 4) { /* 10 channels */ <------------------
for (i = 0; i < cfg->line_outs; i++) {
nid = cfg->line_out_pins[i];
if (nid) {
/* config dac list */
switch (i) {
case AUTO_SEQ_FRONT:
/* AOW0 */
spec->multiout.dac_nids[i] = 0x10;
break;
case AUTO_SEQ_CENLFE:
/* AOW2 */
spec->multiout.dac_nids[i] = 0x12;
break;
case AUTO_SEQ_SURROUND:
/* AOW3 */
spec->multiout.dac_nids[i] = 0x27;
break;
case AUTO_SEQ_SIDE:
/* AOW1 */
spec->multiout.dac_nids[i] = 0x11;
break;
default:
break;
}
}
}
spec->multiout.dac_nids[cfg->line_outs] = 0x28; /* AOW4 */
... ^^^^^^^^^^^^^^
<-- snip -->
Spotted by the Coverity checker.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: sound/pci/hda/patch_via.c: array overflow
2007-10-19 12:57 sound/pci/hda/patch_via.c: array overflow Adrian Bunk
@ 2007-10-22 14:07 ` Takashi Iwai
0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2007-10-22 14:07 UTC (permalink / raw)
To: Adrian Bunk; +Cc: perex, linux-kernel
At Fri, 19 Oct 2007 14:57:09 +0200,
Adrian Bunk wrote:
>
> sound/pci/hda/patch_via.c contains the following code:
>
> <-- snip -->
>
> ...
> struct via_spec {
> ...
> hda_nid_t private_dac_nids[4];
> ... ^^^
> };
> ...
> static int vt1709_auto_fill_dac_nids(struct via_spec *spec,
> const struct auto_pin_cfg *cfg)
> {
> ...
> spec->multiout.dac_nids = spec->private_dac_nids;
>
> if (cfg->line_outs == 4) { /* 10 channels */ <------------------
> for (i = 0; i < cfg->line_outs; i++) {
> nid = cfg->line_out_pins[i];
> if (nid) {
> /* config dac list */
> switch (i) {
> case AUTO_SEQ_FRONT:
> /* AOW0 */
> spec->multiout.dac_nids[i] = 0x10;
> break;
> case AUTO_SEQ_CENLFE:
> /* AOW2 */
> spec->multiout.dac_nids[i] = 0x12;
> break;
> case AUTO_SEQ_SURROUND:
> /* AOW3 */
> spec->multiout.dac_nids[i] = 0x27;
> break;
> case AUTO_SEQ_SIDE:
> /* AOW1 */
> spec->multiout.dac_nids[i] = 0x11;
> break;
> default:
> break;
> }
> }
> }
> spec->multiout.dac_nids[cfg->line_outs] = 0x28; /* AOW4 */
> ... ^^^^^^^^^^^^^^
>
> <-- snip -->
>
> Spotted by the Coverity checker.
Thanks. The following patch was applied to ALSA tree.
Takashi
[ALSA] hda-codec - Fix possible array overflow
dac_nids arrays in each codec support code may have up to 5 items
when assigned from the auto-configurator. Some codec codes have
less numbers than the possible max. This patch defines the constant
and fixes the array definitions.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/hda_local.h
--- a/sound/pci/hda/hda_local.h Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/hda_local.h Mon Oct 22 17:20:10 2007 +0200
@@ -310,16 +310,17 @@ enum {
extern const char *auto_pin_cfg_labels[AUTO_PIN_LAST];
+#define AUTO_CFG_MAX_OUTS 5
+
struct auto_pin_cfg {
int line_outs;
- hda_nid_t line_out_pins[5]; /* sorted in the order of
- * Front/Surr/CLFE/Side
- */
+ /* sorted in the order of Front/Surr/CLFE/Side */
+ hda_nid_t line_out_pins[AUTO_CFG_MAX_OUTS];
int speaker_outs;
- hda_nid_t speaker_pins[5];
+ hda_nid_t speaker_pins[AUTO_CFG_MAX_OUTS];
int hp_outs;
int line_out_type; /* AUTO_PIN_XXX_OUT */
- hda_nid_t hp_pins[5];
+ hda_nid_t hp_pins[AUTO_CFG_MAX_OUTS];
hda_nid_t input_pins[AUTO_PIN_LAST];
hda_nid_t dig_out_pin;
hda_nid_t dig_in_pin;
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_analog.c
--- a/sound/pci/hda/patch_analog.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_analog.c Mon Oct 22 17:20:10 2007 +0200
@@ -72,7 +72,7 @@ struct ad198x_spec {
unsigned int num_kctl_alloc, num_kctl_used;
struct snd_kcontrol_new *kctl_alloc;
struct hda_input_mux private_imux;
- hda_nid_t private_dac_nids[4];
+ hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
unsigned int jack_present :1;
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_cmedia.c
--- a/sound/pci/hda/patch_cmedia.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_cmedia.c Mon Oct 22 17:20:10 2007 +0200
@@ -50,7 +50,7 @@ struct cmi_spec {
/* playback */
struct hda_multi_out multiout;
- hda_nid_t dac_nids[4]; /* NID for each DAC */
+ hda_nid_t dac_nids[AUTO_CFG_MAX_OUTS]; /* NID for each DAC */
int num_dacs;
/* capture */
@@ -73,7 +73,6 @@ struct cmi_spec {
unsigned int pin_def_confs;
/* multichannel pins */
- hda_nid_t multich_pin[4]; /* max 8-channel */
struct hda_verb multi_init[9]; /* 2 verbs for each pin + terminator */
};
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_conexant.c
--- a/sound/pci/hda/patch_conexant.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_conexant.c Mon Oct 22 17:20:10 2007 +0200
@@ -85,7 +85,7 @@ struct conexant_spec {
unsigned int num_kctl_alloc, num_kctl_used;
struct snd_kcontrol_new *kctl_alloc;
struct hda_input_mux private_imux;
- hda_nid_t private_dac_nids[4];
+ hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
};
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_realtek.c
--- a/sound/pci/hda/patch_realtek.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_realtek.c Mon Oct 22 17:20:10 2007 +0200
@@ -238,7 +238,7 @@ struct alc_spec {
unsigned int num_kctl_alloc, num_kctl_used;
struct snd_kcontrol_new *kctl_alloc;
struct hda_input_mux private_imux;
- hda_nid_t private_dac_nids[5];
+ hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
/* hooks */
void (*init_hook)(struct hda_codec *codec);
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_via.c
--- a/sound/pci/hda/patch_via.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_via.c Mon Oct 22 17:20:10 2007 +0200
@@ -114,7 +114,7 @@ struct via_spec {
unsigned int num_kctl_alloc, num_kctl_used;
struct snd_kcontrol_new *kctl_alloc;
struct hda_input_mux private_imux;
- hda_nid_t private_dac_nids[4];
+ hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
#ifdef CONFIG_SND_HDA_POWER_SAVE
struct hda_loopback_check loopback;
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-10-22 15:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-19 12:57 sound/pci/hda/patch_via.c: array overflow Adrian Bunk
2007-10-22 14:07 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox