From c45ec06c74512265969aef40b00f320c6afb7a90 Mon Sep 17 00:00:00 2001 From: Roel Kluin Date: Wed, 29 Jul 2009 11:46:59 +0200 Subject: sound: aedsp16: Buffer overflow DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes including terminating null. Signed-off-by: Roel Kluin Signed-off-by: Takashi Iwai --- sound/oss/aedsp16.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sound/oss/aedsp16.c b/sound/oss/aedsp16.c index 3ee9900ffd7..35b5912cf3f 100644 --- a/sound/oss/aedsp16.c +++ b/sound/oss/aedsp16.c @@ -325,8 +325,9 @@ /* * Size of character arrays that store name and version of sound card */ -#define CARDNAMELEN 15 /* Size of the card's name in chars */ -#define CARDVERLEN 2 /* Size of the card's version in chars */ +#define CARDNAMELEN 15 /* Size of the card's name in chars */ +#define CARDVERLEN 10 /* Size of the card's version in chars */ +#define CARDVERDIGITS 2 /* Number of digits in the version */ #if defined(CONFIG_SC6600) /* @@ -410,7 +411,7 @@ static int soft_cfg __initdata = 0; /* bitmapped config */ static int soft_cfg_mss __initdata = 0; /* bitmapped mss config */ -static int ver[CARDVERLEN] __initdata = {0, 0}; /* DSP Ver: +static int ver[CARDVERDIGITS] __initdata = {0, 0}; /* DSP Ver: hi->ver[0] lo->ver[1] */ #if defined(CONFIG_SC6600) @@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port) * string is finished. */ ver[len++] = ret; - } while (len < CARDVERLEN); + } while (len < CARDVERDIGITS); sprintf(DSPVersion, "%d.%d", ver[0], ver[1]); DBG(("success.\n")); -- cgit v1.2.3 From a987004fbcf163b100d227284999602f83044d7e Mon Sep 17 00:00:00 2001 From: Roel Kluin Date: Wed, 29 Jul 2009 12:12:09 +0200 Subject: sound: mpu401.c: Buffer overflow mpu_synth_info[m].name is a char[30], and the minimum length of the data written by sprintf is 31 bytes including terminating null. Signed-off-by: Roel Kluin Signed-off-by: Takashi Iwai --- sound/oss/mpu401.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/oss/mpu401.c b/sound/oss/mpu401.c index 1b2316f35b1..734b8f9e2f7 100644 --- a/sound/oss/mpu401.c +++ b/sound/oss/mpu401.c @@ -1074,7 +1074,7 @@ int attach_mpu401(struct address_info *hw_config, struct module *owner) sprintf(mpu_synth_info[m].name, "%s (MPU401)", hw_config->name); else sprintf(mpu_synth_info[m].name, - "MPU-401 %d.%d%c Midi interface #%d", + "MPU-401 %d.%d%c MIDI #%d", (int) (devc->version & 0xf0) >> 4, devc->version & 0x0f, revision_char, -- cgit v1.2.3