On Thu, 9 Sep 2010, Takashi Iwai wrote:
> At Thu, 9 Sep 2010 00:11:41 +0200,
> Dan Carpenter wrote:
>>
>> If we pass in a device which is higher than SNDRV_RAWMIDI_DEVICES then
>> the "next device" should be -1. This function just returns device + 1.
>>
>> But the main thing is that "device + 1" can lead to a (harmless) integer
>> overflow and that annoys static analysis tools.
>>
>> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
>> ---
>> V2: In the first version I made negative values return -EINVAL
>> V3: We shouldn't return -EINVAL for numbers which are too large but
>> just set the next device to -1.
>>
>> diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
>> index eb68326..df67605 100644
>> --- a/sound/core/rawmidi.c
>> +++ b/sound/core/rawmidi.c
>> @@ -829,6 +829,8 @@ static int snd_rawmidi_control_ioctl(struct snd_card *card,
>>
>> if (get_user(device, (int __user *)argp))
>> return -EFAULT;
>> + if (device > SNDRV_RAWMIDI_DEVICES) /* next device is -1 */
>> + device = SNDRV_RAWMIDI_DEVICES;
>> mutex_lock(®ister_mutex);
>> device = device < 0 ? 0 : device + 1;
>> while (device < SNDRV_RAWMIDI_DEVICES) {
>>
>
> We still need to cover the case device == SNDRV_RAWMIDI_DEVICES.
> Also, device is incremented, so it has to be SNDRV_RAWMIDI_DEVICE - 1.
> i.e.
>
>> + if (device >= SNDRV_RAWMIDI_DEVICES) /* next device is -1 */
>> + device = SNDRV_RAWMIDI_DEVICES - 1;
>
>
> I applied the fixed patch now.
Maybe a goto to 'device = -1' line from the condition above might be more
light (resulted instruction code size) and understandable for this case.
Jaroslav
-----
Jaroslav Kysela <perex@xxxxxxxx>
Linux Kernel Sound Maintainer
ALSA Project, Red Hat, Inc.
_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
