From: Takashi Iwai Date: Thu, 15 Nov 2007 12:16:02 +0000 (+0100) Subject: [ALSA] emu10k1 - Check value ranges in ctl callbacks X-Git-Tag: v2.6.24-rc4~112^2~1 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa299d01f1c2e680e40813b63f8dfb46c79ea715;p=linux-2.6 [ALSA] emu10k1 - Check value ranges in ctl callbacks Check value ranges in ctl callbacks properly. This fixes the unexpected crash due to wrong value assignment. Also, remove invalid comments in the last patch. Signed-off-by: Takashi Iwai Signed-off-by: Jaroslav Kysela --- diff --git a/sound/pci/emu10k1/emumixer.c b/sound/pci/emu10k1/emumixer.c index 88eab4a461..ccacd7b890 100644 --- a/sound/pci/emu10k1/emumixer.c +++ b/sound/pci/emu10k1/emumixer.c @@ -293,12 +293,15 @@ static int snd_emu1010_output_source_put(struct snd_kcontrol *kcontrol, unsigned int val; unsigned int channel; + val = ucontrol->value.enumerated.item[0]; + if (val >= 53) + return -EINVAL; channel = (kcontrol->private_value) & 0xff; /* Limit: emu1010_output_dst, emu->emu1010.output_source */ if (channel >= 24) return -EINVAL; - if (emu->emu1010.output_source[channel] != ucontrol->value.enumerated.item[0]) { - val = emu->emu1010.output_source[channel] = ucontrol->value.enumerated.item[0]; + if (emu->emu1010.output_source[channel] != val) { + emu->emu1010.output_source[channel] = val; change = 1; snd_emu1010_fpga_link_dst_src_write(emu, emu1010_output_dst[channel], emu1010_src_regs[val]); @@ -328,12 +331,15 @@ static int snd_emu1010_input_source_put(struct snd_kcontrol *kcontrol, unsigned int val; unsigned int channel; + val = ucontrol->value.enumerated.item[0]; + if (val >= 53) + return -EINVAL; channel = (kcontrol->private_value) & 0xff; /* Limit: emu1010_input_dst, emu->emu1010.input_source */ if (channel >= 22) return -EINVAL; - if (emu->emu1010.input_source[channel] != ucontrol->value.enumerated.item[0]) { - val = emu->emu1010.input_source[channel] = ucontrol->value.enumerated.item[0]; + if (emu->emu1010.input_source[channel] != val) { + emu->emu1010.input_source[channel] = val; change = 1; snd_emu1010_fpga_link_dst_src_write(emu, emu1010_input_dst[channel], emu1010_src_regs[val]); @@ -1083,7 +1089,6 @@ static int snd_emu10k1_send_volume_put(struct snd_kcontrol *kcontrol, { unsigned long flags; struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ struct snd_emu10k1_pcm_mixer *mix = &emu->pcm_mixer[snd_ctl_get_ioffidx(kcontrol, &ucontrol->id)]; int change = 0, idx, val; @@ -1136,7 +1141,6 @@ static int snd_emu10k1_attn_get(struct snd_kcontrol *kcontrol, struct snd_ctl_elem_value *ucontrol) { struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ struct snd_emu10k1_pcm_mixer *mix = &emu->pcm_mixer[snd_ctl_get_ioffidx(kcontrol, &ucontrol->id)]; unsigned long flags; @@ -1154,7 +1158,6 @@ static int snd_emu10k1_attn_put(struct snd_kcontrol *kcontrol, { unsigned long flags; struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ struct snd_emu10k1_pcm_mixer *mix = &emu->pcm_mixer[snd_ctl_get_ioffidx(kcontrol, &ucontrol->id)]; int change = 0, idx, val; @@ -1207,7 +1210,6 @@ static int snd_emu10k1_efx_send_routing_get(struct snd_kcontrol *kcontrol, { unsigned long flags; struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ struct snd_emu10k1_pcm_mixer *mix = &emu->efx_pcm_mixer[snd_ctl_get_ioffidx(kcontrol, &ucontrol->id)]; int idx; @@ -1227,7 +1229,6 @@ static int snd_emu10k1_efx_send_routing_put(struct snd_kcontrol *kcontrol, { unsigned long flags; struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ int ch = snd_ctl_get_ioffidx(kcontrol, &ucontrol->id); struct snd_emu10k1_pcm_mixer *mix = &emu->efx_pcm_mixer[ch]; int change = 0, idx, val; @@ -1279,7 +1280,6 @@ static int snd_emu10k1_efx_send_volume_get(struct snd_kcontrol *kcontrol, { unsigned long flags; struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ struct snd_emu10k1_pcm_mixer *mix = &emu->efx_pcm_mixer[snd_ctl_get_ioffidx(kcontrol, &ucontrol->id)]; int idx; @@ -1297,7 +1297,6 @@ static int snd_emu10k1_efx_send_volume_put(struct snd_kcontrol *kcontrol, { unsigned long flags; struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ int ch = snd_ctl_get_ioffidx(kcontrol, &ucontrol->id); struct snd_emu10k1_pcm_mixer *mix = &emu->efx_pcm_mixer[ch]; int change = 0, idx, val; @@ -1346,7 +1345,6 @@ static int snd_emu10k1_efx_attn_get(struct snd_kcontrol *kcontrol, struct snd_ctl_elem_value *ucontrol) { struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ struct snd_emu10k1_pcm_mixer *mix = &emu->efx_pcm_mixer[snd_ctl_get_ioffidx(kcontrol, &ucontrol->id)]; unsigned long flags; @@ -1362,7 +1360,6 @@ static int snd_emu10k1_efx_attn_put(struct snd_kcontrol *kcontrol, { unsigned long flags; struct snd_emu10k1 *emu = snd_kcontrol_chip(kcontrol); - /* FIXME: Check limits */ int ch = snd_ctl_get_ioffidx(kcontrol, &ucontrol->id); struct snd_emu10k1_pcm_mixer *mix = &emu->efx_pcm_mixer[ch]; int change = 0, val; diff --git a/sound/pci/emu10k1/p16v.c b/sound/pci/emu10k1/p16v.c index d619a3842c..9fd3135f31 100644 --- a/sound/pci/emu10k1/p16v.c +++ b/sound/pci/emu10k1/p16v.c @@ -742,6 +742,8 @@ static int snd_p16v_capture_source_put(struct snd_kcontrol *kcontrol, u32 source; val = ucontrol->value.enumerated.item[0] ; + if (val > 7) + return -EINVAL; change = (emu->p16v_capture_source != val); if (change) { emu->p16v_capture_source = val; @@ -784,6 +786,8 @@ static int snd_p16v_capture_channel_put(struct snd_kcontrol *kcontrol, u32 tmp; val = ucontrol->value.enumerated.item[0] ; + if (val > 3) + return -EINVAL; change = (emu->p16v_capture_channel != val); if (change) { emu->p16v_capture_channel = val;