On Thu, 24 Mar 2016 04:07:36 +0100,
mengdong.lin@xxxxxxxxxxxxxxx wrote:
>
> +static int parse_tuple_set(snd_tplg_t *tplg, snd_config_t *cfg,
> + struct tplg_tuple_set **s)
....
> + switch (type) {
> + case SND_SOC_TPLG_TUPLE_TYPE_UUID:
> + memcpy(tuple->uuid, value, 16);
This may become out-of-bound access. Check the size of value string
beforehand.
> + tplg_dbg("\t\t%s = %s\n", tuple->token, tuple->uuid);
> + break;
> +
> + case SND_SOC_TPLG_TUPLE_TYPE_STRING:
> + elem_copy_text(tuple->string, value,
> + SNDRV_CTL_ELEM_ID_NAME_MAXLEN);
> + tplg_dbg("\t\t%s = %s\n", tuple->token, tuple->string);
> + break;
> +
> + case SND_SOC_TPLG_TUPLE_TYPE_BOOL:
> + if (strcmp(value, "true") == 0)
> + tuple->value = 1;
> + tplg_dbg("\t\t%s = %d\n", tuple->token, tuple->value);
> + break;
> +
> + case SND_SOC_TPLG_TUPLE_TYPE_BYTE:
> + case SND_SOC_TPLG_TUPLE_TYPE_SHORT:
> + case SND_SOC_TPLG_TUPLE_TYPE_WORD:
> + tuple->value = atoi(value);
atoi() isn't good enough. It can't handle a hex number, for example,
and can't give an error.
> +/* Free handler of tuples */
> +void tplg_free_tuples(void *obj)
> +{
> + struct tplg_vendor_tuples *tuples = (struct tplg_vendor_tuples *)obj;
> + int i;
> +
> + if (!tuples)
> + return;
> +
> + for (i = 0; i < tuples->num_sets; i++)
> + free(tuples->set[i]);
> +}
tuples->set itself isn't freed?
Takashi
_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
