sound: aedsp16: Buffer overflow

DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes including terminating null. Signed-off-by: Roel Kluin <[email protected]> Signed-off-by: Takashi Iwai <[email protected]>
kyagi · Jul 29, 2009 · c45ec06 · c45ec06
1 parent 4be3bd7
commit c45ec06
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/sound/oss/aedsp16.c b/sound/oss/aedsp16.c
@@ -325,8 +325,9 @@
 /*
  * Size of character arrays that store name and version of sound card
  */
-#define CARDNAMELEN 15		/* Size of the card's name in chars     */
-#define CARDVERLEN  2		/* Size of the card's version in chars  */
+#define CARDNAMELEN	15	/* Size of the card's name in chars     */
+#define CARDVERLEN	10	/* Size of the card's version in chars	*/
+#define CARDVERDIGITS	2	/* Number of digits in the version	*/
 
 #if defined(CONFIG_SC6600)
 /*
@@ -410,7 +411,7 @@
 
 static int      soft_cfg __initdata = 0;	/* bitmapped config */
 static int      soft_cfg_mss __initdata = 0;	/* bitmapped mss config */
-static int      ver[CARDVERLEN] __initdata = {0, 0};	/* DSP Ver:
+static int      ver[CARDVERDIGITS] __initdata = {0, 0};	/* DSP Ver:
 						   hi->ver[0] lo->ver[1] */
 
 #if defined(CONFIG_SC6600)
@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
 	 * string is finished.
 	 */
 		ver[len++] = ret;
-	  } while (len < CARDVERLEN);
+	  } while (len < CARDVERDIGITS);
 	sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
 
 	DBG(("success.\n"));