Re: sound/pci/hda/patch_via.c: array overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At Fri, 19 Oct 2007 14:57:09 +0200,
Adrian Bunk wrote:
> 
> sound/pci/hda/patch_via.c contains the following code:
> 
> <--  snip  -->
> 
> ...
> struct via_spec {
> ...
>         hda_nid_t private_dac_nids[4];  
> ...                               ^^^
> };
> ...
> static int vt1709_auto_fill_dac_nids(struct via_spec *spec,
>                                      const struct auto_pin_cfg *cfg)
> {
> ...
>        spec->multiout.dac_nids = spec->private_dac_nids;
> 
>         if (cfg->line_outs == 4) { /* 10 channels */   <------------------
>                 for (i = 0; i < cfg->line_outs; i++) {
>                         nid = cfg->line_out_pins[i];
>                         if (nid) {
>                                 /* config dac list */
>                                 switch (i) {
>                                 case AUTO_SEQ_FRONT:
>                                         /* AOW0 */
>                                         spec->multiout.dac_nids[i] = 0x10;
>                                         break;
>                                 case AUTO_SEQ_CENLFE:
>                                         /* AOW2 */
>                                         spec->multiout.dac_nids[i] = 0x12;
>                                         break;
>                                 case AUTO_SEQ_SURROUND:
>                                         /* AOW3 */
>                                         spec->multiout.dac_nids[i] = 0x27;
>                                         break;
>                                 case AUTO_SEQ_SIDE:
>                                         /* AOW1 */
>                                         spec->multiout.dac_nids[i] = 0x11;
>                                         break;
>                                 default:
>                                         break;
>                                 }
>                         }
>                 }
>                 spec->multiout.dac_nids[cfg->line_outs] = 0x28; /* AOW4 */
> ...                                     ^^^^^^^^^^^^^^
> 
> <--  snip  -->
> 
> Spotted by the Coverity checker.

Thanks.  The following patch was applied to ALSA tree.


Takashi


[ALSA] hda-codec - Fix possible array overflow

dac_nids arrays in each codec support code may have up to 5 items
when assigned from the auto-configurator.  Some codec codes have
less numbers than the possible max.  This patch defines the constant
and fixes the array definitions.

Signed-off-by: Takashi Iwai <[email protected]>

---

diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/hda_local.h
--- a/sound/pci/hda/hda_local.h	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/hda_local.h	Mon Oct 22 17:20:10 2007 +0200
@@ -310,16 +310,17 @@ enum {
 
 extern const char *auto_pin_cfg_labels[AUTO_PIN_LAST];
 
+#define AUTO_CFG_MAX_OUTS	5
+
 struct auto_pin_cfg {
 	int line_outs;
-	hda_nid_t line_out_pins[5]; /* sorted in the order of
-				     * Front/Surr/CLFE/Side
-				     */
+	/* sorted in the order of Front/Surr/CLFE/Side */
+	hda_nid_t line_out_pins[AUTO_CFG_MAX_OUTS];
 	int speaker_outs;
-	hda_nid_t speaker_pins[5];
+	hda_nid_t speaker_pins[AUTO_CFG_MAX_OUTS];
 	int hp_outs;
 	int line_out_type;	/* AUTO_PIN_XXX_OUT */
-	hda_nid_t hp_pins[5];
+	hda_nid_t hp_pins[AUTO_CFG_MAX_OUTS];
 	hda_nid_t input_pins[AUTO_PIN_LAST];
 	hda_nid_t dig_out_pin;
 	hda_nid_t dig_in_pin;
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_analog.c
--- a/sound/pci/hda/patch_analog.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_analog.c	Mon Oct 22 17:20:10 2007 +0200
@@ -72,7 +72,7 @@ struct ad198x_spec {
 	unsigned int num_kctl_alloc, num_kctl_used;
 	struct snd_kcontrol_new *kctl_alloc;
 	struct hda_input_mux private_imux;
-	hda_nid_t private_dac_nids[4];
+	hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
 
 	unsigned int jack_present :1;
 
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_cmedia.c
--- a/sound/pci/hda/patch_cmedia.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_cmedia.c	Mon Oct 22 17:20:10 2007 +0200
@@ -50,7 +50,7 @@ struct cmi_spec {
 
 	/* playback */
 	struct hda_multi_out multiout;
-	hda_nid_t dac_nids[4];		/* NID for each DAC */
+	hda_nid_t dac_nids[AUTO_CFG_MAX_OUTS];	/* NID for each DAC */
 	int num_dacs;
 
 	/* capture */
@@ -73,7 +73,6 @@ struct cmi_spec {
 	unsigned int pin_def_confs;
 
 	/* multichannel pins */
-	hda_nid_t multich_pin[4];	/* max 8-channel */
 	struct hda_verb multi_init[9];	/* 2 verbs for each pin + terminator */
 };
 
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_conexant.c
--- a/sound/pci/hda/patch_conexant.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_conexant.c	Mon Oct 22 17:20:10 2007 +0200
@@ -85,7 +85,7 @@ struct conexant_spec {
 	unsigned int num_kctl_alloc, num_kctl_used;
 	struct snd_kcontrol_new *kctl_alloc;
 	struct hda_input_mux private_imux;
-	hda_nid_t private_dac_nids[4];
+	hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
 
 };
 
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_realtek.c
--- a/sound/pci/hda/patch_realtek.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_realtek.c	Mon Oct 22 17:20:10 2007 +0200
@@ -238,7 +238,7 @@ struct alc_spec {
 	unsigned int num_kctl_alloc, num_kctl_used;
 	struct snd_kcontrol_new *kctl_alloc;
 	struct hda_input_mux private_imux;
-	hda_nid_t private_dac_nids[5];
+	hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
 
 	/* hooks */
 	void (*init_hook)(struct hda_codec *codec);
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_via.c
--- a/sound/pci/hda/patch_via.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_via.c	Mon Oct 22 17:20:10 2007 +0200
@@ -114,7 +114,7 @@ struct via_spec {
 	unsigned int num_kctl_alloc, num_kctl_used;
 	struct snd_kcontrol_new *kctl_alloc;
 	struct hda_input_mux private_imux;
-	hda_nid_t private_dac_nids[4];	
+	hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
 
 #ifdef CONFIG_SND_HDA_POWER_SAVE
 	struct hda_loopback_check loopback;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux