提交 0c21fccd 编写于 作者: D Dan Carpenter 提交者: Takashi Iwai

ALSA: asihpi: a couple array out of bounds issues

These ->put() functions are called from snd_ctl_elem_write() with user
supplied data.  snd_asihpi_tuner_band_put() is missing a limit check and
the check in snd_asihpi_clksrc_put() can underflow.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
上级 3d0049e8
...@@ -1913,6 +1913,7 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol, ...@@ -1913,6 +1913,7 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol,
struct snd_card_asihpi *asihpi = snd_kcontrol_chip(kcontrol); struct snd_card_asihpi *asihpi = snd_kcontrol_chip(kcontrol);
*/ */
u32 h_control = kcontrol->private_value; u32 h_control = kcontrol->private_value;
unsigned int idx;
u16 band; u16 band;
u16 tuner_bands[HPI_TUNER_BAND_LAST]; u16 tuner_bands[HPI_TUNER_BAND_LAST];
u32 num_bands = 0; u32 num_bands = 0;
...@@ -1920,7 +1921,10 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol, ...@@ -1920,7 +1921,10 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol,
num_bands = asihpi_tuner_band_query(kcontrol, tuner_bands, num_bands = asihpi_tuner_band_query(kcontrol, tuner_bands,
HPI_TUNER_BAND_LAST); HPI_TUNER_BAND_LAST);
band = tuner_bands[ucontrol->value.enumerated.item[0]]; idx = ucontrol->value.enumerated.item[0];
if (idx >= ARRAY_SIZE(tuner_bands))
idx = ARRAY_SIZE(tuner_bands) - 1;
band = tuner_bands[idx];
hpi_handle_error(hpi_tuner_set_band(h_control, band)); hpi_handle_error(hpi_tuner_set_band(h_control, band));
return 1; return 1;
...@@ -2383,7 +2387,8 @@ static int snd_asihpi_clksrc_put(struct snd_kcontrol *kcontrol, ...@@ -2383,7 +2387,8 @@ static int snd_asihpi_clksrc_put(struct snd_kcontrol *kcontrol,
struct snd_card_asihpi *asihpi = struct snd_card_asihpi *asihpi =
(struct snd_card_asihpi *)(kcontrol->private_data); (struct snd_card_asihpi *)(kcontrol->private_data);
struct clk_cache *clkcache = &asihpi->cc; struct clk_cache *clkcache = &asihpi->cc;
int change, item; unsigned int item;
int change;
u32 h_control = kcontrol->private_value; u32 h_control = kcontrol->private_value;
change = 1; change = 1;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册