[alsa-devel] [bug report] ALSA: oxfw: Add support for AV/C stream format command to get/set supported stream formation
Dan Carpenter
dan.carpenter at oracle.com
Fri Mar 31 15:33:03 CEST 2017
Hello Takashi Sakamoto,
The patch 5b59d8098d2a: "ALSA: oxfw: Add support for AV/C stream
format command to get/set supported stream formation" from Dec 9,
2014, leads to the following static checker warning:
sound/firewire/oxfw/oxfw-command.c:96 avc_stream_get_format()
warn: check that subtract can't underflow 'err - 10'
sound/firewire/oxfw/oxfw-command.c
76 /* do transaction and check buf[1-7] are the same against command */
77 err = fcp_avc_transaction(unit, buf, 12, buf, *len,
78 BIT(1) | BIT(2) | BIT(3) | BIT(4) | BIT(5) |
79 BIT(6) | BIT(7));
80 if ((err > 0) && (err < 10))
Assume err is either 0 or 10.
81 err = -EIO;
82 else if (buf[0] == 0x08) /* NOT IMPLEMENTED */
83 err = -ENOSYS;
84 else if (buf[0] == 0x0a) /* REJECTED */
85 err = -EINVAL;
86 else if (buf[0] == 0x0b) /* IN TRANSITION */
87 err = -EAGAIN;
88 /* LIST subfunction has entry ID */
89 else if ((subfunc == 0xc1) && (buf[10] != eid))
If "err" is 10, doesn't that mean we are reading beyond the end of the
loop here?
90 err = -EIO;
91 if (err < 0)
92 goto end;
93
94 /* keep just stream format information */
95 if (subfunc == 0xc0) {
96 memmove(buf, buf + 10, err - 10);
If "err" is 0 then we are going to crash here.
97 *len = err - 10;
98 } else {
99 memmove(buf, buf + 11, err - 11);
Basically if "err" is zero we're going to crash one way or another. But
if err is 10 and we reach this line then we will crash as well.
100 *len = err - 11;
101 }
102
103 err = 0;
104 end:
105 return err;
106 }
regards,
dan carpenter
More information about the Alsa-devel
mailing list