diff options
| author | Jesper Juhl <jesper.juhl@gmail.com> | 2006-06-13 05:58:12 -0400 |
|---|---|---|
| committer | Jaroslav Kysela <perex@suse.cz> | 2006-06-22 15:34:22 -0400 |
| commit | 63eb1e4bd2975f1d1102c1f44e4fd6fcd76f7792 (patch) | |
| tree | 6768bcbdfba41b7e4a79f5faee5d4f117e076321 /sound/isa | |
| parent | 6540dffa6ecfe0d99fb263548dcc4b35ccefe784 (diff) | |
[ALSA] fix potential NULL pointer deref in snd_sb8dsp_midi_interrupt()
First testing if a pointer is NULL and if it is (or might be), proceeding
with code that dereferences that same pointer is clearly a mistake.
This happens in sound/isa/sb/sb8_midi.c::snd_sb8dsp_midi_interrupt()
The patch below reworks the code so this unfortunate case doesn't happen.
Also remove some blank comments.
Found by the Coverity checker as bug #367
Patch is compile testted only due to lack of hardware.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/isa')
| -rw-r--r-- | sound/isa/sb/sb8_midi.c | 20 |
1 files changed, 7 insertions, 13 deletions
diff --git a/sound/isa/sb/sb8_midi.c b/sound/isa/sb/sb8_midi.c index c549aceea294..0b67edd7ac6e 100644 --- a/sound/isa/sb/sb8_midi.c +++ b/sound/isa/sb/sb8_midi.c | |||
| @@ -32,20 +32,22 @@ | |||
| 32 | #include <sound/core.h> | 32 | #include <sound/core.h> |
| 33 | #include <sound/sb.h> | 33 | #include <sound/sb.h> |
| 34 | 34 | ||
| 35 | /* | ||
| 36 | |||
| 37 | */ | ||
| 38 | 35 | ||
| 39 | irqreturn_t snd_sb8dsp_midi_interrupt(struct snd_sb * chip) | 36 | irqreturn_t snd_sb8dsp_midi_interrupt(struct snd_sb *chip) |
| 40 | { | 37 | { |
| 41 | struct snd_rawmidi *rmidi; | 38 | struct snd_rawmidi *rmidi; |
| 42 | int max = 64; | 39 | int max = 64; |
| 43 | char byte; | 40 | char byte; |
| 44 | 41 | ||
| 45 | if (chip == NULL || (rmidi = chip->rmidi) == NULL) { | 42 | if (!chip) |
| 43 | return IRQ_NONE; | ||
| 44 | |||
| 45 | rmidi = chip->rmidi; | ||
| 46 | if (!rmidi) { | ||
| 46 | inb(SBP(chip, DATA_AVAIL)); /* ack interrupt */ | 47 | inb(SBP(chip, DATA_AVAIL)); /* ack interrupt */ |
| 47 | return IRQ_NONE; | 48 | return IRQ_NONE; |
| 48 | } | 49 | } |
| 50 | |||
| 49 | spin_lock(&chip->midi_input_lock); | 51 | spin_lock(&chip->midi_input_lock); |
| 50 | while (max-- > 0) { | 52 | while (max-- > 0) { |
| 51 | if (inb(SBP(chip, DATA_AVAIL)) & 0x80) { | 53 | if (inb(SBP(chip, DATA_AVAIL)) & 0x80) { |
| @@ -59,10 +61,6 @@ irqreturn_t snd_sb8dsp_midi_interrupt(struct snd_sb * chip) | |||
| 59 | return IRQ_HANDLED; | 61 | return IRQ_HANDLED; |
| 60 | } | 62 | } |
| 61 | 63 | ||
| 62 | /* | ||
| 63 | |||
| 64 | */ | ||
| 65 | |||
| 66 | static int snd_sb8dsp_midi_input_open(struct snd_rawmidi_substream *substream) | 64 | static int snd_sb8dsp_midi_input_open(struct snd_rawmidi_substream *substream) |
| 67 | { | 65 | { |
| 68 | unsigned long flags; | 66 | unsigned long flags; |
| @@ -252,10 +250,6 @@ static void snd_sb8dsp_midi_output_trigger(struct snd_rawmidi_substream *substre | |||
| 252 | snd_sb8dsp_midi_output_write(substream); | 250 | snd_sb8dsp_midi_output_write(substream); |
| 253 | } | 251 | } |
| 254 | 252 | ||
| 255 | /* | ||
| 256 | |||
| 257 | */ | ||
| 258 | |||
| 259 | static struct snd_rawmidi_ops snd_sb8dsp_midi_output = | 253 | static struct snd_rawmidi_ops snd_sb8dsp_midi_output = |
| 260 | { | 254 | { |
| 261 | .open = snd_sb8dsp_midi_output_open, | 255 | .open = snd_sb8dsp_midi_output_open, |