Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c45ec06c authored by Roel Kluin's avatar Roel Kluin Committed by Takashi Iwai
Browse files

sound: aedsp16: Buffer overflow



DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
including terminating null.

Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 4be3bd78
Loading
Loading
Loading
Loading
+5 −4
Original line number Diff line number Diff line
@@ -326,7 +326,8 @@
 * Size of character arrays that store name and version of sound card
 */
#define CARDNAMELEN	15	/* Size of the card's name in chars     */
#define CARDVERLEN  2		/* Size of the card's version in chars  */
#define CARDVERLEN	10	/* Size of the card's version in chars	*/
#define CARDVERDIGITS	2	/* Number of digits in the version	*/

#if defined(CONFIG_SC6600)
/*
@@ -410,7 +411,7 @@

static int      soft_cfg __initdata = 0;	/* bitmapped config */
static int      soft_cfg_mss __initdata = 0;	/* bitmapped mss config */
static int      ver[CARDVERLEN] __initdata = {0, 0};	/* DSP Ver:
static int      ver[CARDVERDIGITS] __initdata = {0, 0};	/* DSP Ver:
						   hi->ver[0] lo->ver[1] */

#if defined(CONFIG_SC6600)
@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
	 * string is finished.
	 */
		ver[len++] = ret;
	  } while (len < CARDVERLEN);
	  } while (len < CARDVERDIGITS);
	sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);

	DBG(("success.\n"));