From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 11 Feb 2015 15:10:54 +0000 (+0300)
Subject: ALSA: seq: potential out of bounds in do_control()
X-Git-Tag: firefly_0821_release~176^2~2256^2~6
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=0b444af8daf9cd28264aa3c85587c0c8601208ba;p=firefly-linux-kernel-4.4.55.git

ALSA: seq: potential out of bounds in do_control()

Smatch complains that "control" is user specifigy and needs to be
capped.  The call tree to understand this warning is quite long.

snd_seq_write()  <-- get the event from the user
  snd_seq_client_enqueue_event()
    snd_seq_deliver_event()
      deliver_to_subscribers()
        snd_seq_deliver_single_event()
          snd_opl3_oss_event_input()
            snd_midi_process_event()
              do_control()

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---

diff --git a/sound/core/seq/seq_midi_emul.c b/sound/core/seq/seq_midi_emul.c
index 9b6470cdcf24..7ba937399ac7 100644
--- a/sound/core/seq/seq_midi_emul.c
+++ b/sound/core/seq/seq_midi_emul.c
@@ -269,6 +269,9 @@ do_control(struct snd_midi_op *ops, void *drv, struct snd_midi_channel_set *chse
 {
 	int  i;
 
+	if (control >= ARRAY_SIZE(chan->control))
+		return;
+
 	/* Switches */
 	if ((control >=64 && control <=69) || (control >= 80 && control <= 83)) {
 		/* These are all switches; either off or on so set to 0 or 127 */