2.6.38-stable review patch. If anyone has any objections, please let us know.
------------------ From: Dan Rosenberg <[email protected]> commit 4d00135a680727f6c3be78f8befaac009030e4df upstream. User-controllable indexes for voice and channel values may cause reading and writing beyond the bounds of their respective arrays, leading to potentially exploitable memory corruption. Validate these indexes. Signed-off-by: Dan Rosenberg <[email protected]> Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- sound/oss/opl3.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- a/sound/oss/opl3.c +++ b/sound/oss/opl3.c @@ -849,6 +849,10 @@ static int opl3_load_patch(int dev, int static void opl3_panning(int dev, int voice, int value) { + + if (voice < 0 || voice >= devc->nr_voice) + return; + devc->voc[voice].panning = value; } @@ -1066,8 +1070,15 @@ static int opl3_alloc_voice(int dev, int static void opl3_setup_voice(int dev, int voice, int chn) { - struct channel_info *info = - &synth_devs[dev]->chn_info[chn]; + struct channel_info *info; + + if (voice < 0 || voice >= devc->nr_voice) + return; + + if (chn < 0 || chn > 15) + return; + + info = &synth_devs[dev]->chn_info[chn]; opl3_set_instr(dev, voice, info->pgm_num); _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
