[PATCH] Fix possible sprintf overrun in snd_pcm_hw_open

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I spotted this while reading code a few weeks ago, and I ran it through the Ubuntu security team just to be sure. They decided it was not needing any security embargo or similar, so here comes the patch.


--
David Henningsson, Canonical Ltd.
http://launchpad.net/~diwic
>From 3333d9bb8d8f9cc95f9dbf68d0a703a4e832a948 Mon Sep 17 00:00:00 2001
From: David Henningsson <david.henningsson@xxxxxxxxxxxxx>
Date: Wed, 8 Dec 2010 11:06:59 +0100
Subject: [PATCH] Fix possible sprintf overrun in snd_pcm_hw_open

BugLink: http://launchpad.net/bugs/668487

Possible buffer overrun if the number of "card" and "device"
are absurdly high, especially on 64-bit platforms.

Signed-off-by: David Henningsson <david.henningsson@xxxxxxxxxxxxx>
---
 src/pcm/pcm_hw.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/pcm/pcm_hw.c b/src/pcm/pcm_hw.c
index 9d243d5..ce74ad4 100644
--- a/src/pcm/pcm_hw.c
+++ b/src/pcm/pcm_hw.c
@@ -1270,7 +1270,7 @@ int snd_pcm_hw_open(snd_pcm_t **pcmp, const char *name,
 		SNDERR("invalid stream %d", stream);
 		return -EINVAL;
 	}
-	sprintf(filename, filefmt, card, device);
+	snprintf(filename, sizeof(filename), filefmt, card, device);
 
       __again:
       	if (attempt++ > 3) {
-- 
1.7.1

_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel

[ALSA User]     [Linux Audio Users]     [Kernel Archive]     [Asterisk PBX]     [Photo Sharing]     [Linux Sound]     [Video 4 Linux]     [Gimp]     [Yosemite News]

Add to Google Powered by Linux