[alsa-devel] ALSA: Add ALSA driver for Atmel Audio Bitstream DAC

Takashi Iwai tiwai at suse.de
Fri Nov 29 10:25:41 CET 2013


At Wed, 27 Nov 2013 14:57:32 +0300,
Dan Carpenter wrote:
> 
> Hello Hans-Christian Egtvedt,
> 
> The patch e4967d6016b7: "ALSA: Add ALSA driver for Atmel Audio 
> Bitstream DAC" from Feb 5, 2009, leads to the following
> static checker warning: "sound/atmel/abdac.c:373 set_sample_rates()
> 	 error: buffer overflow 'dac->rates' 6 <= 6"
> 
> sound/atmel/abdac.c
>    354          /* we start at 192 kHz and work our way down to 5112 Hz */
>    355          while (new_rate >= RATE_MIN && index < (MAX_NUM_RATES + 1)) {
> 
> index == MAX_NUM_RATES + 1 so index is 7.
> 
>    356                  new_rate = clk_round_rate(dac->sample_clk, 256 * new_rate);
>    357                  if (new_rate < 0)
>    358                          break;
>    359                  /* make sure we are below the ABDAC clock */
>    360                  if (new_rate <= clk_get_rate(dac->pclk)) {
>    361                          dac->rates[index] = new_rate / 256;
> 
> index == MAX_NUM_RATES is off by one.
> 
>    362                          index++;
>    363                  }
>    364                  /* divide by 256 and then by two to get next rate */
>    365                  new_rate /= 256 * 2;
>    366          }
>    367  
>    368          if (index) {
>    369                  int i;
>    370  
>    371                  /* reverse array, smallest go first */
>    372                  for (i = 0; i < (index / 2); i++) {
>    373                          unsigned int tmp = dac->rates[index - 1 - i];
> 
> 7 - 1 - 0 is 6, but dac->rates[] only has 6 elements so we are
> potentially reading beyond the end of the array here.
> 
>    374                          dac->rates[index - 1 - i] = dac->rates[i];
>    375                          dac->rates[i] = tmp;
>    376                  }
>    377  
>    378                  dac->constraints_rates.count = index;
>    379                  dac->constraints_rates.list = dac->rates;
>    380                  dac->constraints_rates.mask = 0;
>    381                  dac->rates_num = index;
>    382  
>    383                  retval = 0;
>    384          }

I guess the patch below should fix, but better to hear from
Hans-Christian at first.


thanks,

Takashi

---
diff --git a/sound/atmel/abdac.c b/sound/atmel/abdac.c
index 872d59e35ee2..721d8fd45685 100644
--- a/sound/atmel/abdac.c
+++ b/sound/atmel/abdac.c
@@ -357,7 +357,8 @@ static int set_sample_rates(struct atmel_abdac *dac)
 		if (new_rate < 0)
 			break;
 		/* make sure we are below the ABDAC clock */
-		if (new_rate <= clk_get_rate(dac->pclk)) {
+		if (index < MAX_NUM_RATES &&
+		    new_rate <= clk_get_rate(dac->pclk)) {
 			dac->rates[index] = new_rate / 256;
 			index++;
 		}


More information about the Alsa-devel mailing list