Re: sound/pci/hda/patch_via.c: array overflow

From: Takashi Iwai
Date: Mon Oct 22 2007 - 11:24:21 EST

Next message: Bjorn Helgaas: "Re: PCMCIA driver resource allocation"
Previous message: Pekka Enberg: "Re: [PATCH] return hidden bug"
In reply to: Adrian Bunk: "sound/pci/hda/patch_via.c: array overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At Fri, 19 Oct 2007 14:57:09 +0200,
Adrian Bunk wrote:
>
> sound/pci/hda/patch_via.c contains the following code:
>
> <-- snip -->
>
> ...
> struct via_spec {
> ...
> hda_nid_t private_dac_nids[4];
> ... ^^^
> };
> ...
> static int vt1709_auto_fill_dac_nids(struct via_spec *spec,
> const struct auto_pin_cfg *cfg)
> {
> ...
> spec->multiout.dac_nids = spec->private_dac_nids;
>
> if (cfg->line_outs == 4) { /* 10 channels */ <------------------
> for (i = 0; i < cfg->line_outs; i++) {
> nid = cfg->line_out_pins[i];
> if (nid) {
> /* config dac list */
> switch (i) {
> case AUTO_SEQ_FRONT:
> /* AOW0 */
> spec->multiout.dac_nids[i] = 0x10;
> break;
> case AUTO_SEQ_CENLFE:
> /* AOW2 */
> spec->multiout.dac_nids[i] = 0x12;
> break;
> case AUTO_SEQ_SURROUND:
> /* AOW3 */
> spec->multiout.dac_nids[i] = 0x27;
> break;
> case AUTO_SEQ_SIDE:
> /* AOW1 */
> spec->multiout.dac_nids[i] = 0x11;
> break;
> default:
> break;
> }
> }
> }
> spec->multiout.dac_nids[cfg->line_outs] = 0x28; /* AOW4 */
> ... ^^^^^^^^^^^^^^
>
> <-- snip -->
>
> Spotted by the Coverity checker.

Thanks. The following patch was applied to ALSA tree.

Takashi

[ALSA] hda-codec - Fix possible array overflow

dac_nids arrays in each codec support code may have up to 5 items
when assigned from the auto-configurator. Some codec codes have
less numbers than the possible max. This patch defines the constant
and fixes the array definitions.

Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>

---

diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/hda_local.h
--- a/sound/pci/hda/hda_local.h Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/hda_local.h Mon Oct 22 17:20:10 2007 +0200
@@ -310,16 +310,17 @@ enum {

extern const char *auto_pin_cfg_labels[AUTO_PIN_LAST];

+#define AUTO_CFG_MAX_OUTS 5
+
struct auto_pin_cfg {
int line_outs;
- hda_nid_t line_out_pins[5]; /* sorted in the order of
- * Front/Surr/CLFE/Side
- */
+ /* sorted in the order of Front/Surr/CLFE/Side */
+ hda_nid_t line_out_pins[AUTO_CFG_MAX_OUTS];
int speaker_outs;
- hda_nid_t speaker_pins[5];
+ hda_nid_t speaker_pins[AUTO_CFG_MAX_OUTS];
int hp_outs;
int line_out_type; /* AUTO_PIN_XXX_OUT */
- hda_nid_t hp_pins[5];
+ hda_nid_t hp_pins[AUTO_CFG_MAX_OUTS];
hda_nid_t input_pins[AUTO_PIN_LAST];
hda_nid_t dig_out_pin;
hda_nid_t dig_in_pin;
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_analog.c
--- a/sound/pci/hda/patch_analog.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_analog.c Mon Oct 22 17:20:10 2007 +0200
@@ -72,7 +72,7 @@ struct ad198x_spec {
unsigned int num_kctl_alloc, num_kctl_used;
struct snd_kcontrol_new *kctl_alloc;
struct hda_input_mux private_imux;
- hda_nid_t private_dac_nids[4];
+ hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];

unsigned int jack_present :1;

diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_cmedia.c
--- a/sound/pci/hda/patch_cmedia.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_cmedia.c Mon Oct 22 17:20:10 2007 +0200
@@ -50,7 +50,7 @@ struct cmi_spec {

/* playback */
struct hda_multi_out multiout;
- hda_nid_t dac_nids[4]; /* NID for each DAC */
+ hda_nid_t dac_nids[AUTO_CFG_MAX_OUTS]; /* NID for each DAC */
int num_dacs;

/* capture */
@@ -73,7 +73,6 @@ struct cmi_spec {
unsigned int pin_def_confs;

/* multichannel pins */
- hda_nid_t multich_pin[4]; /* max 8-channel */
struct hda_verb multi_init[9]; /* 2 verbs for each pin + terminator */
};

diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_conexant.c
--- a/sound/pci/hda/patch_conexant.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_conexant.c Mon Oct 22 17:20:10 2007 +0200
@@ -85,7 +85,7 @@ struct conexant_spec {
unsigned int num_kctl_alloc, num_kctl_used;
struct snd_kcontrol_new *kctl_alloc;
struct hda_input_mux private_imux;
- hda_nid_t private_dac_nids[4];
+ hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];

};

diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_realtek.c
--- a/sound/pci/hda/patch_realtek.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_realtek.c Mon Oct 22 17:20:10 2007 +0200
@@ -238,7 +238,7 @@ struct alc_spec {
unsigned int num_kctl_alloc, num_kctl_used;
struct snd_kcontrol_new *kctl_alloc;
struct hda_input_mux private_imux;
- hda_nid_t private_dac_nids[5];
+ hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];

/* hooks */
void (*init_hook)(struct hda_codec *codec);
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_via.c
--- a/sound/pci/hda/patch_via.c Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_via.c Mon Oct 22 17:20:10 2007 +0200
@@ -114,7 +114,7 @@ struct via_spec {
unsigned int num_kctl_alloc, num_kctl_used;
struct snd_kcontrol_new *kctl_alloc;
struct hda_input_mux private_imux;
- hda_nid_t private_dac_nids[4];
+ hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];

#ifdef CONFIG_SND_HDA_POWER_SAVE
struct hda_loopback_check loopback;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bjorn Helgaas: "Re: PCMCIA driver resource allocation"
Previous message: Pekka Enberg: "Re: [PATCH] return hidden bug"
In reply to: Adrian Bunk: "sound/pci/hda/patch_via.c: array overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]