3 Mar
2015
3 Mar
'15
12:38 p.m.
On Tue, Mar 03, 2015 at 12:21:34PM +0100, Clemens Ladisch wrote:
Dan Carpenter wrote:
In snd_opl3_calc_pitch() then the limit is:
if (pitchbend > 0x1FFF) pitchbend = 0x1FFF;
But it can underflow meaning that segment can be as low as SHORT_MIN / 0x1000 and we can read 6 elements before the start of the opl3_note_table[] array.
- short midi_pitchbend; /* Pitch bend amount */
- unsigned short midi_pitchbend; /* Pitch bend amount */
Pitch bend is a signed 14-bit value. What is wrong is the missing check for the lower bound.
Thanks for the review. I will resend.
regards, dan carpenter