ALSA: lola: Bounds check loop iterator against streams array size
authorKees Cook <keescook@chromium.org>
Fri, 20 May 2022 16:55:37 +0000 (09:55 -0700)
committerTakashi Iwai <tiwai@suse.de>
Sat, 21 May 2022 06:48:57 +0000 (08:48 +0200)
GCC 12 sees that it's technically possible for num_streams to be larger
than ARRAY_SIZE(pcm->streams). Bounds-check the iterator.

../sound/pci/lola/lola_pcm.c: In function 'lola_pcm_update':
../sound/pci/lola/lola_pcm.c:567:64: warning: array subscript [0, 31] is outside array bounds of 'struct lola_stream[16]' [-Warray-bounds]
  567 |                         struct lola_stream *str = &pcm->streams[i];
      |                                                    ~~~~~~~~~~~~^~~
In file included from ../sound/pci/lola/lola_pcm.c:15:
../sound/pci/lola/lola.h:307:28: note: while referencing 'streams'
  307 |         struct lola_stream streams[MAX_STREAM_COUNT];
      |                            ^~~~~~~

Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220520165537.2139826-1-keescook@chromium.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
sound/pci/lola/lola_pcm.c

index 738ec98..32193fa 100644 (file)
@@ -561,8 +561,9 @@ static snd_pcm_uframes_t lola_pcm_pointer(struct snd_pcm_substream *substream)
 void lola_pcm_update(struct lola *chip, struct lola_pcm *pcm, unsigned int bits)
 {
        int i;
+       u8 num_streams = min_t(u8, pcm->num_streams, ARRAY_SIZE(pcm->streams));
 
-       for (i = 0; bits && i < pcm->num_streams; i++) {
+       for (i = 0; bits && i < num_streams; i++) {
                if (bits & (1 << i)) {
                        struct lola_stream *str = &pcm->streams[i];
                        if (str->substream && str->running)