Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c45ec06c authored by Roel Kluin's avatar Roel Kluin Committed by Takashi Iwai
Browse files

sound: aedsp16: Buffer overflow 



DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
including terminating null.

Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 4be3bd78

sound/oss/aedsp16.c

+5 −4
Original line number Diff line number Diff line
@@ -326,7 +326,8 @@ 
 * Size of character arrays that store name and version of sound card

 */

#define CARDNAMELEN	15	/* Size of the card's name in chars     */

#define CARDVERLEN  2		/* Size of the card's version in chars  */

#define CARDVERLEN	10	/* Size of the card's version in chars	*/

#define CARDVERDIGITS	2	/* Number of digits in the version	*/



#if defined(CONFIG_SC6600)

/*
@@ -410,7 +411,7 @@ 


static int      soft_cfg __initdata = 0;	/* bitmapped config */

static int      soft_cfg_mss __initdata = 0;	/* bitmapped mss config */

static int      ver[CARDVERLEN] __initdata = {0, 0};	/* DSP Ver:

static int      ver[CARDVERDIGITS] __initdata = {0, 0};	/* DSP Ver:

						   hi->ver[0] lo->ver[1] */



#if defined(CONFIG_SC6600)
@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port) 
	 * string is finished.

	 */

		ver[len++] = ret;

	  } while (len < CARDVERLEN);

	  } while (len < CARDVERDIGITS);

	sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);



	DBG(("success.\n"));