From patchwork Tue Dec 30 18:46:11 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anssi Hannula X-Patchwork-Id: 5552871 Return-Path: X-Original-To: patchwork-alsa-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id B20619F2B9 for ; Tue, 30 Dec 2014 18:46:47 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D81E02012E for ; Tue, 30 Dec 2014 18:46:46 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.kernel.org (Postfix) with ESMTP id E31BB20173 for ; Tue, 30 Dec 2014 18:46:45 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id CF14B26078A; Tue, 30 Dec 2014 19:46:39 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_00, SUBJ_OBFU_PUNCT_MANY, UNPARSEABLE_RELAY autolearn=no version=3.3.1 Received: from alsa0.perex.cz (localhost [IPv6:::1]) by alsa0.perex.cz (Postfix) with ESMTP id AEE41260717; Tue, 30 Dec 2014 19:46:29 +0100 (CET) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id 05CAD260718; Tue, 30 Dec 2014 19:46:28 +0100 (CET) Received: from mail3.ippnet.fi (mail3.ippnet.fi [62.197.168.3]) by alsa0.perex.cz (Postfix) with ESMTP id 16D5A260717 for ; Tue, 30 Dec 2014 19:46:21 +0100 (CET) Received: from localhost (c64.fi [62.197.168.8]) by mail3.ippnet.fi (Postfix) with ESMTP id 35A005D7C1; Tue, 30 Dec 2014 20:46:21 +0200 (EET) X-Virus-Scanned: amavisd-new at ippnet.fi Received: from mail3.ippnet.fi ([62.197.168.3]) by localhost (ippnet-mail-scanner-001.ippnet.fi [62.197.168.8]) (amavisd-new, port 10024) with ESMTP id IZtkEWjJW0Vq; Tue, 30 Dec 2014 20:46:20 +0200 (EET) Received: from webmail.tpnet.fi (webmail.tpnet.fi [62.106.63.33]) by mail3.ippnet.fi (Postfix) with ESMTP id EFA275D61D; Tue, 30 Dec 2014 20:46:19 +0200 (EET) Received: from mail.onse.fi (host-109-204-178-176.tp-fne.tampereenpuhelin.net [109.204.178.176]) by webmail.tpnet.fi (Postfix) with ESMTP id E3D7C20ACE; Tue, 30 Dec 2014 20:46:19 +0200 (EET) Received: by mail.onse.fi (Postfix, from userid 501) id C5AA6403F5; Tue, 30 Dec 2014 20:46:19 +0200 (EET) From: Anssi Hannula To: Takashi Iwai Date: Tue, 30 Dec 2014 20:46:11 +0200 Message-Id: <1419965171-23403-1-git-send-email-anssi.hannula@iki.fi> X-Mailer: git-send-email 1.8.4.5 Cc: alsa-devel@alsa-project.org Subject: [alsa-devel] [PATCH] pcm: fix buffer overflow in snd_pcm_chmap_print() X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP The size argument is wrong for one of the snprintf() calls in snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided buffer may be written data up to 2x its actual size). Seen in an user report here: http://trac.kodi.tv/ticket/15641 Signed-off-by: Anssi Hannula --- src/pcm/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c index baa47c7..e74e02f 100644 --- a/src/pcm/pcm.c +++ b/src/pcm/pcm.c @@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf) return -ENOMEM; } if (map->pos[i] & SND_CHMAP_DRIVER_SPEC) - len += snprintf(buf + len, maxlen, "%d", p); + len += snprintf(buf + len, maxlen - len, "%d", p); else { const char *name = chmap_names[p]; if (name)