sound: aedsp16: Buffer overflow

DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
including terminating null.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

1 files changed, 5 insertions, 4 deletions

diff --git a/sound/oss/aedsp16.c b/sound/oss/aedsp16.c
index 3ee9900ffd7b..35b5912cf3f8 100644
--- a/sound/oss/aedsp16.c
+++ b/sound/oss/aedsp16.c
@@ -325,8 +325,9 @@
 /*
  * Size of character arrays that store name and version of sound card
  */
-#define CARDNAMELEN 15          /* Size of the card's name in chars     */
-#define CARDVERLEN  2           /* Size of the card's version in chars  */
+#define CARDNAMELEN     15      /* Size of the card's name in chars     */
+#define CARDVERLEN      10      /* Size of the card's version in chars  */
+#define CARDVERDIGITS   2       /* Number of digits in the version      */
 
 #if defined(CONFIG_SC6600)
 /*
@@ -410,7 +411,7 @@
 
 static int      soft_cfg __initdata = 0;        /* bitmapped config */
 static int      soft_cfg_mss __initdata = 0;    /* bitmapped mss config */
-static int      ver[CARDVERLEN] __initdata = {0, 0};    /* DSP Ver:
+static int      ver[CARDVERDIGITS] __initdata = {0, 0}; /* DSP Ver:
                                                    hi->ver[0] lo->ver[1] */
 
 #if defined(CONFIG_SC6600)
@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
          * string is finished.
          */
                 ver[len++] = ret;
-          } while (len < CARDVERLEN);
+          } while (len < CARDVERDIGITS);
         sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
 
         DBG(("success.\n"));