At Fri, 13 Sep 2013 10:44:44 +0300, Dan Carpenter wrote: > > These ->put() functions are called from snd_ctl_elem_write() with user > supplied data. snd_asihpi_tuner_band_put() is missing a limit check and > the check in snd_asihpi_clksrc_put() can underflow. > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Applied, thanks. Takashi > > diff --git a/sound/pci/asihpi/asihpi.c b/sound/pci/asihpi/asihpi.c > index dc632cd..5f2acd3 100644 > --- a/sound/pci/asihpi/asihpi.c > +++ b/sound/pci/asihpi/asihpi.c > @@ -1913,6 +1913,7 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol, > struct snd_card_asihpi *asihpi = snd_kcontrol_chip(kcontrol); > */ > u32 h_control = kcontrol->private_value; > + unsigned int idx; > u16 band; > u16 tuner_bands[HPI_TUNER_BAND_LAST]; > u32 num_bands = 0; > @@ -1920,7 +1921,10 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol, > num_bands = asihpi_tuner_band_query(kcontrol, tuner_bands, > HPI_TUNER_BAND_LAST); > > - band = tuner_bands[ucontrol->value.enumerated.item[0]]; > + idx = ucontrol->value.enumerated.item[0]; > + if (idx >= ARRAY_SIZE(tuner_bands)) > + idx = ARRAY_SIZE(tuner_bands) - 1; > + band = tuner_bands[idx]; > hpi_handle_error(hpi_tuner_set_band(h_control, band)); > > return 1; > @@ -2383,7 +2387,8 @@ static int snd_asihpi_clksrc_put(struct snd_kcontrol *kcontrol, > struct snd_card_asihpi *asihpi = > (struct snd_card_asihpi *)(kcontrol->private_data); > struct clk_cache *clkcache = &asihpi->cc; > - int change, item; > + unsigned int item; > + int change; > u32 h_control = kcontrol->private_value; > > change = 1; > -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html