[alsa-devel] [patch] ALSA: seq_midi_emul: small array underflow
Dan Carpenter
dan.carpenter at oracle.com
Tue Mar 3 12:38:48 CET 2015
On Tue, Mar 03, 2015 at 12:21:34PM +0100, Clemens Ladisch wrote:
> Dan Carpenter wrote:
> > In snd_opl3_calc_pitch() then the limit is:
> >
> > if (pitchbend > 0x1FFF)
> > pitchbend = 0x1FFF;
> >
> > But it can underflow meaning that segment can be as low as
> > SHORT_MIN / 0x1000 and we can read 6 elements before the start of the
> > opl3_note_table[] array.
>
> > - short midi_pitchbend; /* Pitch bend amount */
> > + unsigned short midi_pitchbend; /* Pitch bend amount */
>
> Pitch bend is a signed 14-bit value. What is wrong is the missing
> check for the lower bound.
>
Thanks for the review. I will resend.
regards,
dan carpenter
More information about the Alsa-devel
mailing list