diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-11-29 11:14:09 +0300 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2013-11-29 10:23:04 +0100 |
commit | 4d6ff250857a8b5f8e33ea62ff16f165085f8655 (patch) | |
tree | d9302124d8aed364304691841a93ec156e563295 /sound | |
parent | eb82594b75b0cf54c667189e061934b7c49b5d42 (diff) |
ALSA: dice: fix array limits in dice_proc_read()
The array limits are supposed to be in units of u32 instead of in bytes.
The current code has a potential array overflow.
Fixes: c614475b0ea9 ('ALSA: dice: add a proc file to show device information')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
-rw-r--r-- | sound/firewire/dice.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sound/firewire/dice.c b/sound/firewire/dice.c index 57bcd31fcc12..c0aa64941cee 100644 --- a/sound/firewire/dice.c +++ b/sound/firewire/dice.c @@ -1019,7 +1019,7 @@ static void dice_proc_read(struct snd_info_entry *entry, if (dice_proc_read_mem(dice, &tx_rx_header, sections[2], 2) < 0) return; - quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.tx)); + quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.tx) / 4); for (stream = 0; stream < tx_rx_header.number; ++stream) { if (dice_proc_read_mem(dice, &buf.tx, sections[2] + 2 + stream * tx_rx_header.size, @@ -1045,7 +1045,7 @@ static void dice_proc_read(struct snd_info_entry *entry, if (dice_proc_read_mem(dice, &tx_rx_header, sections[4], 2) < 0) return; - quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.rx)); + quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.rx) / 4); for (stream = 0; stream < tx_rx_header.number; ++stream) { if (dice_proc_read_mem(dice, &buf.rx, sections[4] + 2 + stream * tx_rx_header.size, |