| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 08 Nov 2006 17:07:00 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Adrian Bunk <bunk@...sta.de>
Cc: perex@...e.cz, alsa-devel@...a-project.org,
linux-kernel@...r.kernel.org
Subject: Re: [Alsa-devel] sound/pci/ac97/ac97_patch.c: possible negative array index
At Tue, 7 Nov 2006 19:03:23 +0100,
Adrian Bunk wrote:
>
> The Coverity checker noted the following in sound/pci/ac97/ac97_patch.c:
>
> <-- snip -->
>
> ...
> static int patch_ad1881_chained1(struct snd_ac97 * ac97, int idx, unsigned short codec_bits)
> {
> static int cfg_bits[3] = { 1<<12, 1<<14, 1<<13 };
> unsigned short val;
>
> snd_ac97_update_bits(ac97, AC97_AD_SERIAL_CFG, 0x7000, cfg_bits[idx]);
> snd_ac97_write_cache(ac97, AC97_AD_CODEC_CFG, 0x0004); // SDIE
> val = snd_ac97_read(ac97, AC97_VENDOR_ID2);
> if ((val & 0xff40) != 0x5340)
> return 0;
> if (codec_bits)
> snd_ac97_write_cache(ac97, AC97_AD_CODEC_CFG, codec_bits);
> ac97->spec.ad18xx.chained[idx] = cfg_bits[idx];
> ac97->spec.ad18xx.id[idx] = val;
> ac97->spec.ad18xx.codec_cfg[idx] = codec_bits ? codec_bits : 0x0004;
> return 1;
> }
>
> static void patch_ad1881_chained(struct snd_ac97 * ac97, int unchained_idx, int cidx1, int cidx2)
> {
> // already detected?
> if (ac97->spec.ad18xx.unchained[cidx1] || ac97->spec.ad18xx.chained[cidx1])
> cidx1 = -1;
> if (ac97->spec.ad18xx.unchained[cidx2] || ac97->spec.ad18xx.chained[cidx2])
> cidx2 = -1;
> if (cidx1 < 0 && cidx2 < 0)
> return;
> // test for chained codecs
> snd_ac97_update_bits(ac97, AC97_AD_SERIAL_CFG, 0x7000,
> ac97->spec.ad18xx.unchained[unchained_idx]);
> snd_ac97_write_cache(ac97, AC97_AD_CODEC_CFG, 0x0002); // ID1C
> ac97->spec.ad18xx.codec_cfg[unchained_idx] = 0x0002;
> if (cidx1 >= 0) {
> if (patch_ad1881_chained1(ac97, cidx1, 0x0006)) // SDIE | ID1C
> patch_ad1881_chained1(ac97, cidx2, 0);
> else if (patch_ad1881_chained1(ac97, cidx2, 0x0006)) // SDIE | ID1C
> patch_ad1881_chained1(ac97, cidx1, 0);
> } else if (cidx2 >= 0) {
> patch_ad1881_chained1(ac97, cidx2, 0);
> }
> }
> ...
>
> <-- snip -->
>
> If there are in patch_ad1881_chained() (cidx2 == -1) and (cidx1 >= 0),
> -1 will be used as array index in patch_ad1881_chained1().
Thanks, fixed on ALSA tree now.
Takashi
diff -r d152dacb9bad -r 4fc4f9aba378 sound/pci/ac97/ac97_patch.c
--- a/sound/pci/ac97/ac97_patch.c Wed Nov 08 15:41:29 2006 +0100
+++ b/sound/pci/ac97/ac97_patch.c Wed Nov 08 15:48:43 2006 +0100
@@ -1467,7 +1467,9 @@ static void patch_ad1881_chained(struct
snd_ac97_write_cache(ac97, AC97_AD_CODEC_CFG, 0x0002); // ID1C
ac97->spec.ad18xx.codec_cfg[unchained_idx] = 0x0002;
if (cidx1 >= 0) {
- if (patch_ad1881_chained1(ac97, cidx1, 0x0006)) // SDIE | ID1C
+ if (cidx2 < 0)
+ patch_ad1881_chained1(ac97, cidx1, 0);
+ else if (patch_ad1881_chained1(ac97, cidx1, 0x0006)) // SDIE | ID1C
patch_ad1881_chained1(ac97, cidx2, 0);
else if (patch_ad1881_chained1(ac97, cidx2, 0x0006)) // SDIE | ID1C
patch_ad1881_chained1(ac97, cidx1, 0);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists