At Mon, 16 Nov 2009 17:05:02 +0100, Roel Kluin wrote: > > When the {orig,midi}_dev equals num_midis, that's one too > large already. > > Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx> > --- > In MIDIbuf_open() sound/oss/midibuf.c:166 > > if (num_midis > MAX_MIDI_DEV) > { > printk(KERN_ERR "midi: Too many midi interfaces\n"); > num_midis = MAX_MIDI_DEV; > } > > num_midis is at most MAX_MIDI_DEV. > > `git grep -n MAX_MIDI_DEV' and note that when the index equals > num_midis this causes reads/writes outside array bounds for > midi_devs, midi2synth, dev_conf and others (below check in patch). The fix looks correct to me. Applied now. Thanks. Takashi > > sound/oss/midi_synth.c | 2 +- > sound/oss/mpu401.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/sound/oss/midi_synth.c b/sound/oss/midi_synth.c > index 9e45098..3bc7104 100644 > --- a/sound/oss/midi_synth.c > +++ b/sound/oss/midi_synth.c > @@ -426,7 +426,7 @@ midi_synth_open(int dev, int mode) > int err; > struct midi_input_info *inc; > > - if (orig_dev < 0 || orig_dev > num_midis || midi_devs[orig_dev] == NULL) > + if (orig_dev < 0 || orig_dev >= num_midis || midi_devs[orig_dev] == NULL) > return -ENXIO; > > midi2synth[orig_dev] = dev; > diff --git a/sound/oss/mpu401.c b/sound/oss/mpu401.c > index 734b8f9..0af9d24 100644 > --- a/sound/oss/mpu401.c > +++ b/sound/oss/mpu401.c > @@ -770,7 +770,7 @@ static int mpu_synth_ioctl(int dev, unsigned int cmd, void __user *arg) > > midi_dev = synth_devs[dev]->midi_dev; > > - if (midi_dev < 0 || midi_dev > num_midis || midi_devs[midi_dev] == NULL) > + if (midi_dev < 0 || midi_dev >= num_midis || midi_devs[midi_dev] == NULL) > return -ENXIO; > > devc = &dev_conf[midi_dev]; > _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel