| Message ID | 20150305174906.GB17072@mwanda (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | d124380674b58f62d0ef974630d74d67bb8afeb0 |
| Headers | show |
At Thu, 5 Mar 2015 20:49:06 +0300, Dan Carpenter wrote: > > There is a missing lower bound check on "pitchbend" so it means we can > read up to 6 elements before the start of the opl3_note_table[] array. > > Thanks to Clemens Ladisch for his help with this patch. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > v3: The first two versions of this broke the user space API. Applied, thanks. Takashi > > diff --git a/sound/drivers/opl3/opl3_midi.c b/sound/drivers/opl3/opl3_midi.c > index f62780e..7821b07 100644 > --- a/sound/drivers/opl3/opl3_midi.c > +++ b/sound/drivers/opl3/opl3_midi.c > @@ -105,6 +105,8 @@ static void snd_opl3_calc_pitch(unsigned char *fnum, unsigned char *blocknum, > int pitchbend = chan->midi_pitchbend; > int segment; > > + if (pitchbend < -0x2000) > + pitchbend = -0x2000; > if (pitchbend > 0x1FFF) > pitchbend = 0x1FFF; > >
diff --git a/sound/drivers/opl3/opl3_midi.c b/sound/drivers/opl3/opl3_midi.c index f62780e..7821b07 100644 --- a/sound/drivers/opl3/opl3_midi.c +++ b/sound/drivers/opl3/opl3_midi.c @@ -105,6 +105,8 @@ static void snd_opl3_calc_pitch(unsigned char *fnum, unsigned char *blocknum, int pitchbend = chan->midi_pitchbend; int segment; + if (pitchbend < -0x2000) + pitchbend = -0x2000; if (pitchbend > 0x1FFF) pitchbend = 0x1FFF;
There is a missing lower bound check on "pitchbend" so it means we can read up to 6 elements before the start of the opl3_note_table[] array. Thanks to Clemens Ladisch for his help with this patch. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v3: The first two versions of this broke the user space API.