At Wed, 23 Mar 2011 11:42:57 -0400, Dan Rosenberg wrote:
User-controllable indexes for voice and channel values may cause reading and writing beyond the bounds of their respective arrays, leading to potentially exploitable memory corruption. Validate these indexes.
Signed-off-by: Dan Rosenberg drosenberg@vsecurity.com Cc: stable@kernel.org
Applied now. Thanks.
Takashi
sound/oss/opl3.c | 15 +++++++++++++-- 1 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c index 938c48c..e9d443e 100644 --- a/sound/oss/opl3.c +++ b/sound/oss/opl3.c @@ -849,6 +849,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr,
static void opl3_panning(int dev, int voice, int value) {
- if (voice < 0 || voice >= devc->nr_voice)
return;- devc->voc[voice].panning = value;
}
@@ -1066,8 +1070,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info
static void opl3_setup_voice(int dev, int voice, int chn) {
- struct channel_info *info =
- &synth_devs[dev]->chn_info[chn];
struct channel_info *info;
if (voice < 0 || voice >= devc->nr_voice)
return;if (chn < 0 || chn > 15)
return;info = &synth_devs[dev]->chn_info[chn];
opl3_set_instr(dev, voice, info->pgm_num);