21 Jun
2010
21 Jun
'10
6:09 p.m.
At Mon, 21 Jun 2010 17:05:16 +0200, Daniel Mack wrote:
On Mon, Jun 21, 2010 at 05:03:21PM +0200, Jiri Slaby wrote:
Stanse found that in snd_usb_parse_audio_endpoints, there is a dangling pointer dereference. When snd_usb_parse_audio_format fails, fp is freed, and continue invoked. On the next loop, there is "fp && fp->altsetting == 1 && fp->channels == 1" test, but fp is set from the last iteration (but is bogus) and thus ilegally dereferenced.
Set fp to NULL before "continue".
Oh, absolutely. Thanks.
Signed-off-by: Jiri Slaby jslaby@suse.cz
Acked-by: Daniel Mack daniel@caiaq.de
I think this should go thru the ALSA tree.
Yep, I applied it now. Thanks!
Takashi