Commit c45ec06c authored by Roel Kluin's avatar Roel Kluin Committed by Takashi Iwai

sound: aedsp16: Buffer overflow

DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
including terminating null.
Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 4be3bd78
...@@ -325,8 +325,9 @@ ...@@ -325,8 +325,9 @@
/* /*
* Size of character arrays that store name and version of sound card * Size of character arrays that store name and version of sound card
*/ */
#define CARDNAMELEN 15 /* Size of the card's name in chars */ #define CARDNAMELEN 15 /* Size of the card's name in chars */
#define CARDVERLEN 2 /* Size of the card's version in chars */ #define CARDVERLEN 10 /* Size of the card's version in chars */
#define CARDVERDIGITS 2 /* Number of digits in the version */
#if defined(CONFIG_SC6600) #if defined(CONFIG_SC6600)
/* /*
...@@ -410,7 +411,7 @@ ...@@ -410,7 +411,7 @@
static int soft_cfg __initdata = 0; /* bitmapped config */ static int soft_cfg __initdata = 0; /* bitmapped config */
static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */ static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */
static int ver[CARDVERLEN] __initdata = {0, 0}; /* DSP Ver: static int ver[CARDVERDIGITS] __initdata = {0, 0}; /* DSP Ver:
hi->ver[0] lo->ver[1] */ hi->ver[0] lo->ver[1] */
#if defined(CONFIG_SC6600) #if defined(CONFIG_SC6600)
...@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port) ...@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
* string is finished. * string is finished.
*/ */
ver[len++] = ret; ver[len++] = ret;
} while (len < CARDVERLEN); } while (len < CARDVERDIGITS);
sprintf(DSPVersion, "%d.%d", ver[0], ver[1]); sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
DBG(("success.\n")); DBG(("success.\n"));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment