Dan Carpenter <dan.carpenter@xxxxxxxxxx> writes: > Good eye for spotting the memory corruption bug! > > This is a bug fix, so the fix should go in a separate patch and not > merged with a code cleanup patch. Ordinary users can trigger this so > it's a security bug and separating it out is extra important. Ok. I just sent up a patch to the driverdev list. I missed a few of the Cc's that were on this thread, though. Also, it will conflict with Raphael's cleanup. > The checking in spk_set_num_var() is not sufficient as well. If we use > E_INC then we can hit an integer overflow bug: Good catch. In fact, we shouldn't be using input at all! Instead, we need to use the value of the voice parameter after it was changed. That will be a valid index into the two tables. My patch does so. -- Chris _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
