| Message ID | 1419965171-23403-1-git-send-email-anssi.hannula@iki.fi (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
At Tue, 30 Dec 2014 20:46:11 +0200, Anssi Hannula wrote: > > The size argument is wrong for one of the snprintf() calls in > snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided > buffer may be written data up to 2x its actual size). > > Seen in an user report here: http://trac.kodi.tv/ticket/15641 > > Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi> Thanks, applied. Takashi > --- > src/pcm/pcm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c > index baa47c7..e74e02f 100644 > --- a/src/pcm/pcm.c > +++ b/src/pcm/pcm.c > @@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf) > return -ENOMEM; > } > if (map->pos[i] & SND_CHMAP_DRIVER_SPEC) > - len += snprintf(buf + len, maxlen, "%d", p); > + len += snprintf(buf + len, maxlen - len, "%d", p); > else { > const char *name = chmap_names[p]; > if (name) > -- > 1.8.4.5 >
diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c index baa47c7..e74e02f 100644 --- a/src/pcm/pcm.c +++ b/src/pcm/pcm.c @@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf) return -ENOMEM; } if (map->pos[i] & SND_CHMAP_DRIVER_SPEC) - len += snprintf(buf + len, maxlen, "%d", p); + len += snprintf(buf + len, maxlen - len, "%d", p); else { const char *name = chmap_names[p]; if (name)
The size argument is wrong for one of the snprintf() calls in snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided buffer may be written data up to 2x its actual size). Seen in an user report here: http://trac.kodi.tv/ticket/15641 Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi> --- src/pcm/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)