ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control()

snd_emux_xg_control() can be called with an argument 'param' greater than size of 'control' array. It may lead to accessing 'control' array at a wrong index. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: N Artemii Karasev <karasev@ispras.ru> Fixes: 1da177e4 ("Linux-2.6.12-rc2") Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20230207132026.2870-1-karasev@ispras.ruSigned-off-by: N Takashi Iwai <tiwai@suse.de>

ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control()
snd_emux_xg_control() can be called with an argument 'param' greater than size of 'control' array. It may lead to accessing 'control' array at a wrong index. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: N Artemii Karasev <karasev@ispras.ru> Fixes: 1da177e4 ("Linux-2.6.12-rc2") Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20230207132026.2870-1-karasev@ispras.ruSigned-off-by: N Takashi Iwai <tiwai@suse.de>
6a32425f · Artemii Karasev · Takashi Iwai · 6c4715aa · 6a32425f
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

sound/synth/emux/emux_nrpn.c sound/synth/emux/emux_nrpn.c +3 -0

未找到文件。
--- a/sound/synth/emux/emux_nrpn.c
+++ b/sound/synth/emux/emux_nrpn.c
@@ -349,6 +349,9 @@ int
 snd_emux_xg_control(struct snd_emux_port *port, struct snd_midi_channel *chan,
 		    int param)
 {
+	if (param >= ARRAY_SIZE(chan->control))
+		return -EINVAL;
 	return send_converted_effect(xg_effects, ARRAY_SIZE(xg_effects),
 				     port, chan, param,
 				     chan->control[param],