[alsa-devel] [patch] oss/sb_audio: prevent divide by zero bug
Dan Carpenter
dan.carpenter at oracle.com
Sat Aug 18 17:55:15 CEST 2012
Speed comes from get_user() in audio_ioctl(). We use it to set the "s"
variable before clamping it to valid values so it could lead to a divide
by zero bug.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/sound/oss/sb_audio.c b/sound/oss/sb_audio.c
index 733b014..b2b3c01 100644
--- a/sound/oss/sb_audio.c
+++ b/sound/oss/sb_audio.c
@@ -575,13 +575,15 @@ static int jazz16_audio_set_speed(int dev, int speed)
if (speed > 0)
{
int tmp;
- int s = speed * devc->channels;
+ int s;
if (speed < 5000)
speed = 5000;
if (speed > 44100)
speed = 44100;
+ s = speed * devc->channels;
+
devc->tconst = (256 - ((1000000 + s / 2) / s)) & 0xff;
tmp = 256 - devc->tconst;
More information about the Alsa-devel
mailing list