aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2011-03-23 11:42:57 -0400
committerTakashi Iwai <tiwai@suse.de>2011-03-23 17:48:13 -0400
commit4d00135a680727f6c3be78f8befaac009030e4df (patch)
tree730a88b218c6540feda268aa6df5d9ef349abc5a
parentb769f49463711205d57286e64cf535ed4daf59e9 (diff)
sound/oss/opl3: validate voice and channel indexes
User-controllable indexes for voice and channel values may cause reading and writing beyond the bounds of their respective arrays, leading to potentially exploitable memory corruption. Validate these indexes. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Signed-off-by: Takashi Iwai <tiwai@suse.de>
-rw-r--r--sound/oss/opl3.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
index cbf957424d5..407cd677950 100644
--- a/sound/oss/opl3.c
+++ b/sound/oss/opl3.c
@@ -845,6 +845,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr,
845 845
846static void opl3_panning(int dev, int voice, int value) 846static void opl3_panning(int dev, int voice, int value)
847{ 847{
848
849 if (voice < 0 || voice >= devc->nr_voice)
850 return;
851
848 devc->voc[voice].panning = value; 852 devc->voc[voice].panning = value;
849} 853}
850 854
@@ -1062,8 +1066,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info
1062 1066
1063static void opl3_setup_voice(int dev, int voice, int chn) 1067static void opl3_setup_voice(int dev, int voice, int chn)
1064{ 1068{
1065 struct channel_info *info = 1069 struct channel_info *info;
1066 &synth_devs[dev]->chn_info[chn]; 1070
1071 if (voice < 0 || voice >= devc->nr_voice)
1072 return;
1073
1074 if (chn < 0 || chn > 15)
1075 return;
1076
1077 info = &synth_devs[dev]->chn_info[chn];
1067 1078
1068 opl3_set_instr(dev, voice, info->pgm_num); 1079 opl3_set_instr(dev, voice, info->pgm_num);
1069 1080