Dan Carpenter wrote: > In snd_opl3_calc_pitch() then the limit is: > > if (pitchbend > 0x1FFF) > pitchbend = 0x1FFF; > > But it can underflow meaning that segment can be as low as > SHORT_MIN / 0x1000 and we can read 6 elements before the start of the > opl3_note_table[] array. > - short midi_pitchbend; /* Pitch bend amount */ > + unsigned short midi_pitchbend; /* Pitch bend amount */ Pitch bend is a signed 14-bit value. What is wrong is the missing check for the lower bound. Regards, Clemens -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
