aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoel Kluin <roel.kluin@gmail.com>2009-07-29 05:46:59 -0400
committerTakashi Iwai <tiwai@suse.de>2009-07-29 08:37:12 -0400
commitc45ec06c74512265969aef40b00f320c6afb7a90 (patch)
tree10ee18d623609075cd1b1388ad07add759434f21
parent4be3bd7849165e7efa6b0b35a23d6a3598d97465 (diff)
sound: aedsp16: Buffer overflow
DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes including terminating null. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-rw-r--r--sound/oss/aedsp16.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/sound/oss/aedsp16.c b/sound/oss/aedsp16.c
index 3ee9900ffd7b..35b5912cf3f8 100644
--- a/sound/oss/aedsp16.c
+++ b/sound/oss/aedsp16.c
@@ -325,8 +325,9 @@
325/* 325/*
326 * Size of character arrays that store name and version of sound card 326 * Size of character arrays that store name and version of sound card
327 */ 327 */
328#define CARDNAMELEN 15 /* Size of the card's name in chars */ 328#define CARDNAMELEN 15 /* Size of the card's name in chars */
329#define CARDVERLEN 2 /* Size of the card's version in chars */ 329#define CARDVERLEN 10 /* Size of the card's version in chars */
330#define CARDVERDIGITS 2 /* Number of digits in the version */
330 331
331#if defined(CONFIG_SC6600) 332#if defined(CONFIG_SC6600)
332/* 333/*
@@ -410,7 +411,7 @@
410 411
411static int soft_cfg __initdata = 0; /* bitmapped config */ 412static int soft_cfg __initdata = 0; /* bitmapped config */
412static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */ 413static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */
413static int ver[CARDVERLEN] __initdata = {0, 0}; /* DSP Ver: 414static int ver[CARDVERDIGITS] __initdata = {0, 0}; /* DSP Ver:
414 hi->ver[0] lo->ver[1] */ 415 hi->ver[0] lo->ver[1] */
415 416
416#if defined(CONFIG_SC6600) 417#if defined(CONFIG_SC6600)
@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
957 * string is finished. 958 * string is finished.
958 */ 959 */
959 ver[len++] = ret; 960 ver[len++] = ret;
960 } while (len < CARDVERLEN); 961 } while (len < CARDVERDIGITS);
961 sprintf(DSPVersion, "%d.%d", ver[0], ver[1]); 962 sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
962 963
963 DBG(("success.\n")); 964 DBG(("success.\n"));