On Tue, Mar 03, 2015 at 12:21:34PM +0100, Clemens Ladisch wrote: > Dan Carpenter wrote: > > In snd_opl3_calc_pitch() then the limit is: > > > > if (pitchbend > 0x1FFF) > > pitchbend = 0x1FFF; > > > > But it can underflow meaning that segment can be as low as > > SHORT_MIN / 0x1000 and we can read 6 elements before the start of the > > opl3_note_table[] array. > > > - short midi_pitchbend; /* Pitch bend amount */ > > + unsigned short midi_pitchbend; /* Pitch bend amount */ > > Pitch bend is a signed 14-bit value. What is wrong is the missing > check for the lower bound. > Thanks for the review. I will resend. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
