The size argument is wrong for one of the snprintf() calls in snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided buffer may be written data up to 2x its actual size).
Seen in an user report here: http://trac.kodi.tv/ticket/15641
Signed-off-by: Anssi Hannula anssi.hannula@iki.fi --- src/pcm/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c index baa47c7..e74e02f 100644 --- a/src/pcm/pcm.c +++ b/src/pcm/pcm.c @@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf) return -ENOMEM; } if (map->pos[i] & SND_CHMAP_DRIVER_SPEC) - len += snprintf(buf + len, maxlen, "%d", p); + len += snprintf(buf + len, maxlen - len, "%d", p); else { const char *name = chmap_names[p]; if (name)