diff options
| author | Anssi Hannula <anssi.hannula@iki.fi> | 2014-12-30 20:46:11 +0200 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2014-12-31 10:02:20 +0100 |
| commit | b2ed0aa9f28979f125a9db0548cfd38ac2334775 (patch) | |
| tree | e5ed02c0944261525804250381fe9469022e891d | |
| parent | 93b0e9ca85762c2b863434b2617147f806c7e3e3 (diff) | |
| download | alsa-lib-b2ed0aa9f28979f125a9db0548cfd38ac2334775.tar.gz | |
pcm: fix buffer overflow in snd_pcm_chmap_print()
The size argument is wrong for one of the snprintf() calls in
snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided
buffer may be written data up to 2x its actual size).
Seen in an user report here: http://trac.kodi.tv/ticket/15641
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
| -rw-r--r-- | src/pcm/pcm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c index baa47c73..e74e02fc 100644 --- a/src/pcm/pcm.c +++ b/src/pcm/pcm.c @@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf) return -ENOMEM; } if (map->pos[i] & SND_CHMAP_DRIVER_SPEC) - len += snprintf(buf + len, maxlen, "%d", p); + len += snprintf(buf + len, maxlen - len, "%d", p); else { const char *name = chmap_names[p]; if (name) |