From patchwork Tue Mar 3 19:13:18 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 5925661 Return-Path: X-Original-To: patchwork-alsa-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 598C89F373 for ; Tue, 3 Mar 2015 19:13:57 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8939620434 for ; Tue, 3 Mar 2015 19:13:56 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.kernel.org (Postfix) with ESMTP id 5DFF9202DD for ; Tue, 3 Mar 2015 19:13:55 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id B0D8E261A32; Tue, 3 Mar 2015 20:13:53 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_DNS_FOR_FROM, UNPARSEABLE_RELAY autolearn=no version=3.3.1 Received: from alsa0.perex.cz (localhost [IPv6:::1]) by alsa0.perex.cz (Postfix) with ESMTP id D13202619D8; Tue, 3 Mar 2015 20:13:49 +0100 (CET) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id 599DC2619D9; Tue, 3 Mar 2015 20:13:48 +0100 (CET) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by alsa0.perex.cz (Postfix) with ESMTP id CD0862617AB for ; Tue, 3 Mar 2015 20:13:40 +0100 (CET) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t23JDaRd025425 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 3 Mar 2015 19:13:38 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t23JDZLW004335 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 3 Mar 2015 19:13:35 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t23JDXbC010611; Tue, 3 Mar 2015 19:13:33 GMT Received: from mwanda (/154.0.139.178) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 03 Mar 2015 11:13:27 -0800 Date: Tue, 3 Mar 2015 22:13:18 +0300 From: Dan Carpenter To: Jaroslav Kysela Message-ID: <20150303191318.GA7569@mwanda> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <54F5993E.7000109@ladisch.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Cc: Takashi Iwai , alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org Subject: [alsa-devel] [patch v2] ALSA: opl3: small array underflow X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP We don't check for negatives so "pitchbend" can be SHRT_MIN here. It means that we can read up to 6 elements before the start of the opl3_note_table[] array. There are several ways we could fix this. I have gone with what is maybe the lazier approach of just changing negative values to zero. Hopefully, people aren't passing negatives here anyway. Signed-off-by: Dan Carpenter --- v2: The first patch just chan->midi_pitchbend unsigned but Clemens Ladisch pointed out that that breaks the API. diff --git a/sound/drivers/opl3/opl3_midi.c b/sound/drivers/opl3/opl3_midi.c index f62780e..0cb91dc 100644 --- a/sound/drivers/opl3/opl3_midi.c +++ b/sound/drivers/opl3/opl3_midi.c @@ -105,6 +105,8 @@ static void snd_opl3_calc_pitch(unsigned char *fnum, unsigned char *blocknum, int pitchbend = chan->midi_pitchbend; int segment; + if (pitchbend < 0) + pitchbend = 0; if (pitchbend > 0x1FFF) pitchbend = 0x1FFF;