[alsa-devel] [PATCH] ALSA: Write outside array bounds
e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows the range 0-31
Signed-off-by: Roel Kluin roel.kluin@gmail.com --- Found with Parfait, http://research.sun.com/projects/parfait/
diff --git a/sound/pci/hda/hda_eld.c b/sound/pci/hda/hda_eld.c index fcad5ec..ec04e58 100644 --- a/sound/pci/hda/hda_eld.c +++ b/sound/pci/hda/hda_eld.c @@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct snd_info_entry *entry, sname++; n = 10 * n + name[4] - '0'; } - if (n < 0 || n > 31) /* double the CEA limit */ + if (n < 0 || n > ELD_MAX_SAD) continue; if (!strcmp(sname, "_coding_type")) e->sad[n].format = val;
On Wed, Jul 29, 2009 at 12:25:11PM +0200, Roel Kluin wrote:
e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows the range 0-31
Good catch, thank you, Roel!
Minor fix: '>=' should be used in this line:
if (n < 0 || n > ELD_MAX_SAD)
So I'd suggest this updated patch.
Thanks, Fengguang --- hda: fix out-of-bound hdmi_eld.sad[] write
From: Roel Kluin roel.kluin@gmail.com
e->sad[] is declared with size ELD_MAX_SAD=16, but the guard allows range 0-31.
Signed-off-by: Roel Kluin roel.kluin@gmail.com Signed-off-by: Wu Fengguang fengguang.wu@intel.com --- sound/pci/hda/hda_eld.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- sound-2.6.orig/sound/pci/hda/hda_eld.c +++ sound-2.6/sound/pci/hda/hda_eld.c @@ -508,7 +508,7 @@ static void hdmi_write_eld_info(struct s char name[64]; char *sname; long long val; - int n; + unsigned int n;
while (!snd_info_get_line(buffer, line, sizeof(line))) { if (sscanf(line, "%s %llx", name, &val) != 2) @@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct s sname++; n = 10 * n + name[4] - '0'; } - if (n < 0 || n > 31) /* double the CEA limit */ + if (n >= ELD_MAX_SAD) continue; if (!strcmp(sname, "_coding_type")) e->sad[n].format = val;
At Wed, 29 Jul 2009 19:31:14 +0800, Wu Fengguang wrote:
On Wed, Jul 29, 2009 at 12:25:11PM +0200, Roel Kluin wrote:
e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows the range 0-31
Good catch, thank you, Roel!
Minor fix: '>=' should be used in this line:
if (n < 0 || n > ELD_MAX_SAD)So I'd suggest this updated patch.
Applied the updated one now. Thanks.
Takashi
Thanks, Fengguang
hda: fix out-of-bound hdmi_eld.sad[] write
From: Roel Kluin roel.kluin@gmail.com
e->sad[] is declared with size ELD_MAX_SAD=16, but the guard allows range 0-31.
Signed-off-by: Roel Kluin roel.kluin@gmail.com Signed-off-by: Wu Fengguang fengguang.wu@intel.com
sound/pci/hda/hda_eld.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- sound-2.6.orig/sound/pci/hda/hda_eld.c +++ sound-2.6/sound/pci/hda/hda_eld.c @@ -508,7 +508,7 @@ static void hdmi_write_eld_info(struct s char name[64]; char *sname; long long val;
- int n;
unsigned int n;
while (!snd_info_get_line(buffer, line, sizeof(line))) { if (sscanf(line, "%s %llx", name, &val) != 2)
@@ -539,7 +539,7 @@ static void hdmi_write_eld_info(struct s sname++; n = 10 * n + name[4] - '0'; }
if (n < 0 || n > 31) /* double the CEA limit */
if (n >= ELD_MAX_SAD) continue; if (!strcmp(sname, "_coding_type")) e->sad[n].format = val;
On Wednesday 29 July 2009 11:25, Roel Kluin wrote:
e->sad[] is declared with size ELD_MAX_SAD (16), but the guard allows the range 0-31
Signed-off-by: Roel Kluin roel.kluin@gmail.com
Found with Parfait, http://research.sun.com/projects/parfait/
I've been looking for this tool to evaluate; is it available publically, or do you have 'privilaged access'?
Thanks
Alan
participants (4)
-
Alan Horstmann -
Roel Kluin -
Takashi Iwai -
Wu Fengguang