Commit 12626530 authored by Kees Cook's avatar Kees Cook Committed by Takashi Iwai

ALSA: lola: Bounds check loop iterator against streams array size

GCC 12 sees that it's technically possible for num_streams to be larger
than ARRAY_SIZE(pcm->streams). Bounds-check the iterator.

../sound/pci/lola/lola_pcm.c: In function 'lola_pcm_update':
../sound/pci/lola/lola_pcm.c:567:64: warning: array subscript [0, 31] is outside array bounds of 'struct lola_stream[16]' [-Warray-bounds]
  567 |                         struct lola_stream *str = &pcm->streams[i];
      |                                                    ~~~~~~~~~~~~^~~
In file included from ../sound/pci/lola/lola_pcm.c:15:
../sound/pci/lola/lola.h:307:28: note: while referencing 'streams'
  307 |         struct lola_stream streams[MAX_STREAM_COUNT];
      |                            ^~~~~~~
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220520165537.2139826-1-keescook@chromium.orgSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 15ad3332
...@@ -561,8 +561,9 @@ static snd_pcm_uframes_t lola_pcm_pointer(struct snd_pcm_substream *substream) ...@@ -561,8 +561,9 @@ static snd_pcm_uframes_t lola_pcm_pointer(struct snd_pcm_substream *substream)
void lola_pcm_update(struct lola *chip, struct lola_pcm *pcm, unsigned int bits) void lola_pcm_update(struct lola *chip, struct lola_pcm *pcm, unsigned int bits)
{ {
int i; int i;
u8 num_streams = min_t(u8, pcm->num_streams, ARRAY_SIZE(pcm->streams));
for (i = 0; bits && i < pcm->num_streams; i++) { for (i = 0; bits && i < num_streams; i++) {
if (bits & (1 << i)) { if (bits & (1 << i)) {
struct lola_stream *str = &pcm->streams[i]; struct lola_stream *str = &pcm->streams[i];
if (str->substream && str->running) if (str->substream && str->running)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment