[alsa-devel] [PATCH] pcm: fix buffer overflow in snd_pcm_chmap_print()
Anssi Hannula
anssi.hannula at iki.fi
Tue Dec 30 19:46:11 CET 2014
The size argument is wrong for one of the snprintf() calls in
snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided
buffer may be written data up to 2x its actual size).
Seen in an user report here: http://trac.kodi.tv/ticket/15641
Signed-off-by: Anssi Hannula <anssi.hannula at iki.fi>
---
src/pcm/pcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c
index baa47c7..e74e02f 100644
--- a/src/pcm/pcm.c
+++ b/src/pcm/pcm.c
@@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf)
return -ENOMEM;
}
if (map->pos[i] & SND_CHMAP_DRIVER_SPEC)
- len += snprintf(buf + len, maxlen, "%d", p);
+ len += snprintf(buf + len, maxlen - len, "%d", p);
else {
const char *name = chmap_names[p];
if (name)
--
1.8.4.5
More information about the Alsa-devel
mailing list