sound: aedsp16: Buffer overflow
DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes including terminating null. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Родитель
4be3bd7849
Коммит
c45ec06c74
|
@ -325,8 +325,9 @@
|
|||
/*
|
||||
* Size of character arrays that store name and version of sound card
|
||||
*/
|
||||
#define CARDNAMELEN 15 /* Size of the card's name in chars */
|
||||
#define CARDVERLEN 2 /* Size of the card's version in chars */
|
||||
#define CARDNAMELEN 15 /* Size of the card's name in chars */
|
||||
#define CARDVERLEN 10 /* Size of the card's version in chars */
|
||||
#define CARDVERDIGITS 2 /* Number of digits in the version */
|
||||
|
||||
#if defined(CONFIG_SC6600)
|
||||
/*
|
||||
|
@ -410,7 +411,7 @@
|
|||
|
||||
static int soft_cfg __initdata = 0; /* bitmapped config */
|
||||
static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */
|
||||
static int ver[CARDVERLEN] __initdata = {0, 0}; /* DSP Ver:
|
||||
static int ver[CARDVERDIGITS] __initdata = {0, 0}; /* DSP Ver:
|
||||
hi->ver[0] lo->ver[1] */
|
||||
|
||||
#if defined(CONFIG_SC6600)
|
||||
|
@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
|
|||
* string is finished.
|
||||
*/
|
||||
ver[len++] = ret;
|
||||
} while (len < CARDVERLEN);
|
||||
} while (len < CARDVERDIGITS);
|
||||
sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
|
||||
|
||||
DBG(("success.\n"));
|
||||
|
|
Загрузка…
Ссылка в новой задаче