[alsa-devel] [PATCH] Fix possible sprintf overrun in snd_pcm_hw_open
I spotted this while reading code a few weeks ago, and I ran it through the Ubuntu security team just to be sure. They decided it was not needing any security embargo or similar, so here comes the patch.
David Henningsson wrote:
Possible buffer overrun if the number of "card" and "device" are absurdly high, especially on 64-bit platforms.
The size of "int" is 32 bits even on 64-bit platforms.
As far as I can see, there is no bug.
Regards, Clemens
On 2010-12-08 13:12, Clemens Ladisch wrote:
David Henningsson wrote:
Possible buffer overrun if the number of "card" and "device" are absurdly high, especially on 64-bit platforms.
The size of "int" is 32 bits even on 64-bit platforms.
Seems you're right, then I learned something new today :-)
Although this might be compiler dependent, and some exotic platform might decide otherwise in the future?
As far as I can see, there is no bug.
Even for 32-bit platforms, you would still overrun the buffer if you set card = device = −2147483647.
On 2010-12-08 13:56, David Henningsson wrote:
On 2010-12-08 13:12, Clemens Ladisch wrote:
David Henningsson wrote:
Possible buffer overrun if the number of "card" and "device" are absurdly high, especially on 64-bit platforms.
The size of "int" is 32 bits even on 64-bit platforms.
Seems you're right, then I learned something new today :-)
Although this might be compiler dependent, and some exotic platform might decide otherwise in the future?
As far as I can see, there is no bug.
Even for 32-bit platforms, you would still overrun the buffer if you set card = device = −2147483647.
...or maybe not, forgot that the %d characters are removed. Oh well, doesn't hurt to change it into snprintf anyway ;-)
participants (2)
-
Clemens Ladisch
-
David Henningsson