aboutsummaryrefslogtreecommitdiff
path: root/sound
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2013-03-15 09:14:22 +0300
committerTakashi Iwai <tiwai@suse.de>2013-03-15 07:45:20 +0100
commit57220bc1f5924c869d8fc049e50169915ca0cb24 (patch)
tree8807533cccbd92a61fbb49640c47ef7e7f368363 /sound
parentb714a7106ba5423c418c25e6231116560f8a9ef8 (diff)
downloadvexpress-lsk-57220bc1f5924c869d8fc049e50169915ca0cb24.tar.gz
sound: sequencer: cap array index in seq_chn_common_event()
"chn" here is a number between 0 and 255, but ->chn_info[] only has 16 elements so there is a potential write beyond the end of the array. If the seq_mode isn't SEQ_2 then we let the individual drivers (either opl3.c or midi_synth.c) handle it. Those functions all do a bounds check on "chn" so I haven't changed anything here. The opl3.c driver has up to 18 channels and not 16. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
-rw-r--r--sound/oss/sequencer.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/sound/oss/sequencer.c b/sound/oss/sequencer.c
index 30bcfe470f8..4ff60a6427d 100644
--- a/sound/oss/sequencer.c
+++ b/sound/oss/sequencer.c
@@ -545,6 +545,9 @@ static void seq_chn_common_event(unsigned char *event_rec)
case MIDI_PGM_CHANGE:
if (seq_mode == SEQ_2)
{
+ if (chn > 15)
+ break;
+
synth_devs[dev]->chn_info[chn].pgm_num = p1;
if ((int) dev >= num_synths)
synth_devs[dev]->set_instr(dev, chn, p1);
@@ -596,6 +599,9 @@ static void seq_chn_common_event(unsigned char *event_rec)
case MIDI_PITCH_BEND:
if (seq_mode == SEQ_2)
{
+ if (chn > 15)
+ break;
+
synth_devs[dev]->chn_info[chn].bender_value = w14;
if ((int) dev < num_synths)