[alsa-devel] [PATCH] pcm: fix buffer overflow in snd_pcm_chmap_print()

Takashi Iwai tiwai at suse.de
Wed Dec 31 10:03:06 CET 2014


At Tue, 30 Dec 2014 20:46:11 +0200,
Anssi Hannula wrote:
> 
> The size argument is wrong for one of the snprintf() calls in
> snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided
> buffer may be written data up to 2x its actual size).
> 
> Seen in an user report here: http://trac.kodi.tv/ticket/15641
> 
> Signed-off-by: Anssi Hannula <anssi.hannula at iki.fi>

Thanks, applied.


Takashi

> ---
>  src/pcm/pcm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c
> index baa47c7..e74e02f 100644
> --- a/src/pcm/pcm.c
> +++ b/src/pcm/pcm.c
> @@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf)
>  				return -ENOMEM;
>  		}
>  		if (map->pos[i] & SND_CHMAP_DRIVER_SPEC)
> -			len += snprintf(buf + len, maxlen, "%d", p);
> +			len += snprintf(buf + len, maxlen - len, "%d", p);
>  		else {
>  			const char *name = chmap_names[p];
>  			if (name)
> -- 
> 1.8.4.5
> 


More information about the Alsa-devel mailing list