dev is missing a negative bound check.
Signed-off-by: Eugene Teo <[email protected]>
--- linux-2.6/sound/oss/sequencer.c~ 2006-03-15 10:05:45.000000000 +0800
+++ linux-2.6/sound/oss/sequencer.c 2006-03-16 09:06:59.000000000 +0800
@@ -713,7 +713,7 @@
int i, l = 0;
unsigned char *buf = &event_rec[2];
- if ((int) dev > max_synthdev)
+ if (dev < 0 || dev >= max_synthdev)
return;
if (!(synth_open_mask & (1 << dev)))
return;
--
1024D/A6D12F80 print D51D 2633 8DAC 04DB 7265 9BB8 5883 6DAA A6D1 2F80
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
On Thu, 16 Mar 2006 09:19:11 +0800, Eugene Teo said:
> dev is missing a negative bound check.
>
> Signed-off-by: Eugene Teo <[email protected]>
>
> --- linux-2.6/sound/oss/sequencer.c~ 2006-03-15 10:05:45.000000000 +0800
> +++ linux-2.6/sound/oss/sequencer.c 2006-03-16 09:06:59.000000000 +0800
> @@ -713,7 +713,7 @@
> int i, l = 0;
> unsigned char *buf = &event_rec[2];
>
> - if ((int) dev > max_synthdev)
> + if (dev < 0 || dev >= max_synthdev)
> return;
> if (!(synth_open_mask & (1 << dev)))
> return;
Erm??
Looking at a bit more context for the function:
static void seq_sysex_message(unsigned char *event_rec)
{
int dev = event_rec[1];
int i, l = 0;
unsigned char *buf = &event_rec[2];
if ((int) dev > max_synthdev)
return;
if (!(synth_open_mask & (1 << dev)))
return;
if (!synth_devs[dev])
return;
that 'int dev' came out of an 'unsigned char *' - as such, I doubt you
can get a negative value. If anything, it should be 'unsigned int dev'.
<quote sender="[email protected]">
> On Thu, 16 Mar 2006 09:19:11 +0800, Eugene Teo said:
> > dev is missing a negative bound check.
> >
> > Signed-off-by: Eugene Teo <[email protected]>
[snipped]
> static void seq_sysex_message(unsigned char *event_rec)
> {
> int dev = event_rec[1];
> int i, l = 0;
> unsigned char *buf = &event_rec[2];
>
> if ((int) dev > max_synthdev)
> return;
[snipped]
> that 'int dev' came out of an 'unsigned char *' - as such, I doubt you
> can get a negative value. If anything, it should be 'unsigned int dev'.
Yes, thanks for pointing it out.
--
'int dev' came out of an 'unsigned char *' - as such, it will not get
a negative value. Thanks Valdis.
Signed-off-by: Eugene Teo <[email protected]>
--- linux-2.6/sound/oss/sequencer.c~ 2006-03-15 10:05:45.000000000 +0800
+++ linux-2.6/sound/oss/sequencer.c 2006-03-16 11:15:31.000000000 +0800
@@ -709,7 +709,7 @@
static void seq_sysex_message(unsigned char *event_rec)
{
- int dev = event_rec[1];
+ unsigned int dev = event_rec[1];
int i, l = 0;
unsigned char *buf = &event_rec[2];
--
1024D/A6D12F80 print D51D 2633 8DAC 04DB 7265 9BB8 5883 6DAA A6D1 2F80
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }