mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
sound: oss: off by one bug
The problem is that in the original code sound_nblocks could go up to 1024 which would be an array overflow. This was found with a static checker and has been compile tested only. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Jaroslav Kysela <perex@perex.cz>
This commit is contained in:
parent
440b004cf9
commit
444c1953d4
3 changed files with 13 additions and 9 deletions
|
@ -67,14 +67,15 @@ int sound_install_audiodrv(int vers, char *name, struct audio_driver *driver,
|
|||
return -(EBUSY);
|
||||
}
|
||||
d = (struct audio_driver *) (sound_mem_blocks[sound_nblocks] = vmalloc(sizeof(struct audio_driver)));
|
||||
|
||||
if (sound_nblocks < 1024)
|
||||
sound_nblocks++;
|
||||
sound_nblocks++;
|
||||
if (sound_nblocks >= MAX_MEM_BLOCKS)
|
||||
sound_nblocks = MAX_MEM_BLOCKS - 1;
|
||||
|
||||
op = (struct audio_operations *) (sound_mem_blocks[sound_nblocks] = vmalloc(sizeof(struct audio_operations)));
|
||||
sound_nblocks++;
|
||||
if (sound_nblocks >= MAX_MEM_BLOCKS)
|
||||
sound_nblocks = MAX_MEM_BLOCKS - 1;
|
||||
|
||||
if (sound_nblocks < 1024)
|
||||
sound_nblocks++;
|
||||
if (d == NULL || op == NULL) {
|
||||
printk(KERN_ERR "Sound: Can't allocate driver for (%s)\n", name);
|
||||
sound_unload_audiodev(num);
|
||||
|
@ -128,9 +129,10 @@ int sound_install_mixer(int vers, char *name, struct mixer_operations *driver,
|
|||
until you unload sound! */
|
||||
|
||||
op = (struct mixer_operations *) (sound_mem_blocks[sound_nblocks] = vmalloc(sizeof(struct mixer_operations)));
|
||||
sound_nblocks++;
|
||||
if (sound_nblocks >= MAX_MEM_BLOCKS)
|
||||
sound_nblocks = MAX_MEM_BLOCKS - 1;
|
||||
|
||||
if (sound_nblocks < 1024)
|
||||
sound_nblocks++;
|
||||
if (op == NULL) {
|
||||
printk(KERN_ERR "Sound: Can't allocate mixer driver for (%s)\n", name);
|
||||
return -ENOMEM;
|
||||
|
|
|
@ -142,4 +142,6 @@ static inline int translate_mode(struct file *file)
|
|||
#define TIMER_ARMED 121234
|
||||
#define TIMER_NOT_ARMED 1
|
||||
|
||||
#define MAX_MEM_BLOCKS 1024
|
||||
|
||||
#endif
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
/*
|
||||
* Table for permanently allocated memory (used when unloading the module)
|
||||
*/
|
||||
void * sound_mem_blocks[1024];
|
||||
void * sound_mem_blocks[MAX_MEM_BLOCKS];
|
||||
int sound_nblocks = 0;
|
||||
|
||||
/* Persistent DMA buffers */
|
||||
|
@ -574,7 +574,7 @@ static int __init oss_init(void)
|
|||
NULL, "%s%d", dev_list[i].name, j);
|
||||
}
|
||||
|
||||
if (sound_nblocks >= 1024)
|
||||
if (sound_nblocks >= MAX_MEM_BLOCKS - 1)
|
||||
printk(KERN_ERR "Sound warning: Deallocation table was too small.\n");
|
||||
|
||||
return 0;
|
||||
|
|
Loading…
Reference in a new issue