Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932233AbWCPDYQ (ORCPT ); Wed, 15 Mar 2006 22:24:16 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932239AbWCPDYQ (ORCPT ); Wed, 15 Mar 2006 22:24:16 -0500 Received: from kbsmtao2.starhub.net.sg ([203.116.2.167]:37356 "EHLO kbsmtao2.starhub.net.sg") by vger.kernel.org with ESMTP id S932233AbWCPDYP (ORCPT ); Wed, 15 Mar 2006 22:24:15 -0500 Date: Thu, 16 Mar 2006 11:23:18 +0800 From: Eugene Teo Subject: Re: Fix sequencer missing negative bound check In-reply-to: <200603160307.k2G37KLX007666@turing-police.cc.vt.edu> To: linux-kernel@vger.kernel.org Cc: alsa-devel@alsa-project.org, Valdis.Kletnieks@vt.edu Reply-to: Eugene Teo Message-id: <20060316032318.GA21534@eugeneteo.net> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline X-PGP-Key: http://www.honeynet.org/misc/pgp/eugene-teo.pgp X-Operating-System: Debian GNU/Linux 2.6.16-rc6 References: <20060316011911.GA20384@eugeneteo.net> <200603160307.k2G37KLX007666@turing-police.cc.vt.edu> User-Agent: Mutt/1.5.11+cvs20060126 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1539 Lines: 46 > On Thu, 16 Mar 2006 09:19:11 +0800, Eugene Teo said: > > dev is missing a negative bound check. > > > > Signed-off-by: Eugene Teo [snipped] > static void seq_sysex_message(unsigned char *event_rec) > { > int dev = event_rec[1]; > int i, l = 0; > unsigned char *buf = &event_rec[2]; > > if ((int) dev > max_synthdev) > return; [snipped] > that 'int dev' came out of an 'unsigned char *' - as such, I doubt you > can get a negative value. If anything, it should be 'unsigned int dev'. Yes, thanks for pointing it out. -- 'int dev' came out of an 'unsigned char *' - as such, it will not get a negative value. Thanks Valdis. Signed-off-by: Eugene Teo --- linux-2.6/sound/oss/sequencer.c~ 2006-03-15 10:05:45.000000000 +0800 +++ linux-2.6/sound/oss/sequencer.c 2006-03-16 11:15:31.000000000 +0800 @@ -709,7 +709,7 @@ static void seq_sysex_message(unsigned char *event_rec) { - int dev = event_rec[1]; + unsigned int dev = event_rec[1]; int i, l = 0; unsigned char *buf = &event_rec[2]; -- 1024D/A6D12F80 print D51D 2633 8DAC 04DB 7265 9BB8 5883 6DAA A6D1 2F80 main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); } - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/