Re: [Alsa-devel] sound/pci/ac97/ac97_patch.c: possible negative array index

From: Takashi Iwai
Date: Wed Nov 08 2006 - 11:07:28 EST

Next message: Martin Weber: "kernel BUG at include/linux/dcache.h:303"
Previous message: Linus Torvalds: "Re: Re: 2.6.19-rc5: known regressions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At Tue, 7 Nov 2006 19:03:23 +0100,
Adrian Bunk wrote:
>
> The Coverity checker noted the following in sound/pci/ac97/ac97_patch.c:
>
> <-- snip -->
>
> ...
> static int patch_ad1881_chained1(struct snd_ac97 * ac97, int idx, unsigned short codec_bits)
> {
> static int cfg_bits[3] = { 1<<12, 1<<14, 1<<13 };
> unsigned short val;
>
> snd_ac97_update_bits(ac97, AC97_AD_SERIAL_CFG, 0x7000, cfg_bits[idx]);
> snd_ac97_write_cache(ac97, AC97_AD_CODEC_CFG, 0x0004); // SDIE
> val = snd_ac97_read(ac97, AC97_VENDOR_ID2);
> if ((val & 0xff40) != 0x5340)
> return 0;
> if (codec_bits)
> snd_ac97_write_cache(ac97, AC97_AD_CODEC_CFG, codec_bits);
> ac97->spec.ad18xx.chained[idx] = cfg_bits[idx];
> ac97->spec.ad18xx.id[idx] = val;
> ac97->spec.ad18xx.codec_cfg[idx] = codec_bits ? codec_bits : 0x0004;
> return 1;
> }
>
> static void patch_ad1881_chained(struct snd_ac97 * ac97, int unchained_idx, int cidx1, int cidx2)
> {
> // already detected?
> if (ac97->spec.ad18xx.unchained[cidx1] || ac97->spec.ad18xx.chained[cidx1])
> cidx1 = -1;
> if (ac97->spec.ad18xx.unchained[cidx2] || ac97->spec.ad18xx.chained[cidx2])
> cidx2 = -1;
> if (cidx1 < 0 && cidx2 < 0)
> return;
> // test for chained codecs
> snd_ac97_update_bits(ac97, AC97_AD_SERIAL_CFG, 0x7000,
> ac97->spec.ad18xx.unchained[unchained_idx]);
> snd_ac97_write_cache(ac97, AC97_AD_CODEC_CFG, 0x0002); // ID1C
> ac97->spec.ad18xx.codec_cfg[unchained_idx] = 0x0002;
> if (cidx1 >= 0) {
> if (patch_ad1881_chained1(ac97, cidx1, 0x0006)) // SDIE | ID1C
> patch_ad1881_chained1(ac97, cidx2, 0);
> else if (patch_ad1881_chained1(ac97, cidx2, 0x0006)) // SDIE | ID1C
> patch_ad1881_chained1(ac97, cidx1, 0);
> } else if (cidx2 >= 0) {
> patch_ad1881_chained1(ac97, cidx2, 0);
> }
> }
> ...
>
> <-- snip -->
>
> If there are in patch_ad1881_chained() (cidx2 == -1) and (cidx1 >= 0),
> -1 will be used as array index in patch_ad1881_chained1().

Thanks, fixed on ALSA tree now.

Takashi

diff -r d152dacb9bad -r 4fc4f9aba378 sound/pci/ac97/ac97_patch.c
--- a/sound/pci/ac97/ac97_patch.c Wed Nov 08 15:41:29 2006 +0100
+++ b/sound/pci/ac97/ac97_patch.c Wed Nov 08 15:48:43 2006 +0100
@@ -1467,7 +1467,9 @@ static void patch_ad1881_chained(struct
snd_ac97_write_cache(ac97, AC97_AD_CODEC_CFG, 0x0002); // ID1C
ac97->spec.ad18xx.codec_cfg[unchained_idx] = 0x0002;
if (cidx1 >= 0) {
- if (patch_ad1881_chained1(ac97, cidx1, 0x0006)) // SDIE | ID1C
+ if (cidx2 < 0)
+ patch_ad1881_chained1(ac97, cidx1, 0);
+ else if (patch_ad1881_chained1(ac97, cidx1, 0x0006)) // SDIE | ID1C
patch_ad1881_chained1(ac97, cidx2, 0);
else if (patch_ad1881_chained1(ac97, cidx2, 0x0006)) // SDIE | ID1C
patch_ad1881_chained1(ac97, cidx1, 0);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Martin Weber: "kernel BUG at include/linux/dcache.h:303"
Previous message: Linus Torvalds: "Re: Re: 2.6.19-rc5: known regressions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]