The miXart timer notification is a variable length, and if a hardware is screwed up, we may access over the actual data size. Let's add a sanity check and bail out if an invalid value is received. Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> --- sound/pci/mixart/mixart_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/pci/mixart/mixart_core.c b/sound/pci/mixart/mixart_core.c index 853083dd4bad..a047ed0f84e9 100644 --- a/sound/pci/mixart/mixart_core.c +++ b/sound/pci/mixart/mixart_core.c @@ -443,6 +443,8 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id) notify = (struct mixart_timer_notify *)mixart_msg_data; BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data)); + if (snd_BUG_ON(notify->stream_count > ARRAY_SIZE(notify->streams))) + break; for(i=0; i<notify->stream_count; i++) { u32 buffer_id = notify->streams[i].buffer_id; -- 2.31.1