From patchwork Wed Feb 11 15:10:54 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <dan.carpenter@oracle.com>
X-Patchwork-Id: 5813051
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id EFE61BF440
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 11 Feb 2015 15:10:28 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 30EE120219
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 11 Feb 2015 15:10:28 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id 94CF0201C0
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 11 Feb 2015 15:10:25 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 88B5A264F3A; Wed, 11 Feb 2015 16:10:23 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_DNS_FOR_FROM,
	UNPARSEABLE_RELAY autolearn=no version=3.3.1
Received: from alsa0.perex.cz (localhost [IPv6:::1])
	by alsa0.perex.cz (Postfix) with ESMTP id 8CBDD2619DC;
	Wed, 11 Feb 2015 16:10:14 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 8538A261AD8; Wed, 11 Feb 2015 16:10:13 +0100 (CET)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81])
	by alsa0.perex.cz (Postfix) with ESMTP id 754692605D0
	for <alsa-devel@alsa-project.org>;
	Wed, 11 Feb 2015 16:10:05 +0100 (CET)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
	by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)
	with ESMTP id t1BF9xjX021155
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Wed, 11 Feb 2015 15:10:00 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86])
	by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t1BF9xqr014978
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 11 Feb 2015 15:09:59 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9])
	by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id
	t1BF9wMI023308; Wed, 11 Feb 2015 15:09:58 GMT
Received: from mwanda (/154.0.139.178) by default (Oracle Beehive Gateway
	v4.0) with ESMTP ; Wed, 11 Feb 2015 07:09:57 -0800
Date: Wed, 11 Feb 2015 18:10:54 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jaroslav Kysela <perex@perex.cz>
Message-ID: <20150211151054.GA30155@mwanda>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Cc: Takashi Iwai <tiwai@suse.de>, alsa-devel@alsa-project.org,
	kernel-janitors@vger.kernel.org
Subject: [alsa-devel] [patch] ALSA: seq: potential out of bounds in
	do_control()
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

Smatch complains that "control" is user specifigy and needs to be
capped.  The call tree to understand this warning is quite long.

snd_seq_write()  <-- get the event from the user
  snd_seq_client_enqueue_event()
    snd_seq_deliver_event()
      deliver_to_subscribers()
        snd_seq_deliver_single_event()
          snd_opl3_oss_event_input()
            snd_midi_process_event()
              do_control()

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I have spent some time reviewing this code, but I may have missed
something where we verify that control is in bounds.  I'm not very
familiar with this code and the call tree is fairly long.

diff --git a/sound/core/seq/seq_midi_emul.c b/sound/core/seq/seq_midi_emul.c
index 9b6470c..7ba9373 100644
--- a/sound/core/seq/seq_midi_emul.c
+++ b/sound/core/seq/seq_midi_emul.c
@@ -269,6 +269,9 @@ do_control(struct snd_midi_op *ops, void *drv, struct snd_midi_channel_set *chse
 {
 	int  i;
 
+	if (control >= ARRAY_SIZE(chan->control))
+		return;
+
 	/* Switches */
 	if ((control >=64 && control <=69) || (control >= 80 && control <= 83)) {
 		/* These are all switches; either off or on so set to 0 or 127 */