[alsa-devel] [patch] ALSA: seq_midi_emul: small array underflow
Clemens Ladisch
clemens at ladisch.de
Tue Mar 3 12:21:34 CET 2015
Dan Carpenter wrote:
> In snd_opl3_calc_pitch() then the limit is:
>
> if (pitchbend > 0x1FFF)
> pitchbend = 0x1FFF;
>
> But it can underflow meaning that segment can be as low as
> SHORT_MIN / 0x1000 and we can read 6 elements before the start of the
> opl3_note_table[] array.
> - short midi_pitchbend; /* Pitch bend amount */
> + unsigned short midi_pitchbend; /* Pitch bend amount */
Pitch bend is a signed 14-bit value. What is wrong is the missing
check for the lower bound.
Regards,
Clemens
More information about the Alsa-devel
mailing list