From: Kees Cook Date: Fri, 20 May 2022 16:55:37 +0000 (-0700) Subject: ALSA: lola: Bounds check loop iterator against streams array size X-Git-Tag: v6.1-rc5~574^2~82^2~2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=12626530de84d2b00ff6480142f7f4374662c0c3;p=platform%2Fkernel%2Flinux-starfive.git ALSA: lola: Bounds check loop iterator against streams array size GCC 12 sees that it's technically possible for num_streams to be larger than ARRAY_SIZE(pcm->streams). Bounds-check the iterator. ../sound/pci/lola/lola_pcm.c: In function 'lola_pcm_update': ../sound/pci/lola/lola_pcm.c:567:64: warning: array subscript [0, 31] is outside array bounds of 'struct lola_stream[16]' [-Warray-bounds] 567 | struct lola_stream *str = &pcm->streams[i]; | ~~~~~~~~~~~~^~~ In file included from ../sound/pci/lola/lola_pcm.c:15: ../sound/pci/lola/lola.h:307:28: note: while referencing 'streams' 307 | struct lola_stream streams[MAX_STREAM_COUNT]; | ^~~~~~~ Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220520165537.2139826-1-keescook@chromium.org Signed-off-by: Takashi Iwai --- diff --git a/sound/pci/lola/lola_pcm.c b/sound/pci/lola/lola_pcm.c index 738ec98..32193fa 100644 --- a/sound/pci/lola/lola_pcm.c +++ b/sound/pci/lola/lola_pcm.c @@ -561,8 +561,9 @@ static snd_pcm_uframes_t lola_pcm_pointer(struct snd_pcm_substream *substream) void lola_pcm_update(struct lola *chip, struct lola_pcm *pcm, unsigned int bits) { int i; + u8 num_streams = min_t(u8, pcm->num_streams, ARRAY_SIZE(pcm->streams)); - for (i = 0; bits && i < pcm->num_streams; i++) { + for (i = 0; bits && i < num_streams; i++) { if (bits & (1 << i)) { struct lola_stream *str = &pcm->streams[i]; if (str->substream && str->running)