[alsa-devel] [patch] ALSA: seq_midi_emul: small array underflow
Dan Carpenter
dan.carpenter at oracle.com
Tue Mar 3 10:38:29 CET 2015
In snd_opl3_calc_pitch() then the limit is:
if (pitchbend > 0x1FFF)
pitchbend = 0x1FFF;
But it can underflow meaning that segment can be as low as
SHORT_MIN / 0x1000 and we can read 6 elements before the start of the
opl3_note_table[] array.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/include/sound/seq_midi_emul.h b/include/sound/seq_midi_emul.h
index 8139d8c..c02b840 100644
--- a/include/sound/seq_midi_emul.h
+++ b/include/sound/seq_midi_emul.h
@@ -44,7 +44,7 @@ struct snd_midi_channel {
unsigned char midi_aftertouch; /* Aftertouch (key pressure) */
unsigned char midi_pressure; /* Channel pressure */
unsigned char midi_program; /* Instrument number */
- short midi_pitchbend; /* Pitch bend amount */
+ unsigned short midi_pitchbend; /* Pitch bend amount */
unsigned char control[128]; /* Current value of all controls */
unsigned char note[128]; /* Current status for all notes */
More information about the Alsa-devel
mailing list