The miXart timer notification is a variable length, and if a hardware
is screwed up, we may access over the actual data size. Let's add a
sanity check and bail out if an invalid value is received.
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
sound/pci/mixart/mixart_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/pci/mixart/mixart_core.c b/sound/pci/mixart/mixart_core.c
index 853083dd4bad..a047ed0f84e9 100644
--- a/sound/pci/mixart/mixart_core.c
+++ b/sound/pci/mixart/mixart_core.c
@@ -443,6 +443,8 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id)
notify = (struct mixart_timer_notify *)mixart_msg_data;
BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data));
+ if (snd_BUG_ON(notify->stream_count > ARRAY_SIZE(notify->streams)))
+ break;
for(i=0; i<notify->stream_count; i++) {
u32 buffer_id = notify->streams[i].buffer_id;
--
2.31.1
