sound: aedsp16: Buffer overflow

DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
including terminating null.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Roel Kluin 2009-07-29 11:46:59 +02:00 коммит произвёл Takashi Iwai
Родитель 4be3bd7849
Коммит c45ec06c74
1 изменённых файлов: 5 добавлений и 4 удалений

Просмотреть файл

@ -325,8 +325,9 @@
/*
* Size of character arrays that store name and version of sound card
*/
#define CARDNAMELEN 15 /* Size of the card's name in chars */
#define CARDVERLEN 2 /* Size of the card's version in chars */
#define CARDNAMELEN 15 /* Size of the card's name in chars */
#define CARDVERLEN 10 /* Size of the card's version in chars */
#define CARDVERDIGITS 2 /* Number of digits in the version */
#if defined(CONFIG_SC6600)
/*
@ -410,7 +411,7 @@
static int soft_cfg __initdata = 0; /* bitmapped config */
static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */
static int ver[CARDVERLEN] __initdata = {0, 0}; /* DSP Ver:
static int ver[CARDVERDIGITS] __initdata = {0, 0}; /* DSP Ver:
hi->ver[0] lo->ver[1] */
#if defined(CONFIG_SC6600)
@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
* string is finished.
*/
ver[len++] = ret;
} while (len < CARDVERLEN);
} while (len < CARDVERDIGITS);
sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
DBG(("success.\n"));