[alsa-devel] [PATCH] pcm: fix buffer overflow in snd_pcm_chmap_print()
Takashi Iwai
tiwai at suse.de
Wed Dec 31 10:03:06 CET 2014
At Tue, 30 Dec 2014 20:46:11 +0200,
Anssi Hannula wrote:
>
> The size argument is wrong for one of the snprintf() calls in
> snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided
> buffer may be written data up to 2x its actual size).
>
> Seen in an user report here: http://trac.kodi.tv/ticket/15641
>
> Signed-off-by: Anssi Hannula <anssi.hannula at iki.fi>
Thanks, applied.
Takashi
> ---
> src/pcm/pcm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c
> index baa47c7..e74e02f 100644
> --- a/src/pcm/pcm.c
> +++ b/src/pcm/pcm.c
> @@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf)
> return -ENOMEM;
> }
> if (map->pos[i] & SND_CHMAP_DRIVER_SPEC)
> - len += snprintf(buf + len, maxlen, "%d", p);
> + len += snprintf(buf + len, maxlen - len, "%d", p);
> else {
> const char *name = chmap_names[p];
> if (name)
> --
> 1.8.4.5
>
More information about the Alsa-devel
mailing list