From e12483e0f3dbc32dad8fa1dc97efac22b6aee94f Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 29 Oct 2013 16:37:11 +0100 Subject: ALSA: ak4114: Fix wrong register array size The size of the register cache array is actually 6 instead of 7, as it caches up to AK4114_REG_INT1_MASK. This resulted in unexpected access out of array range, although most of them aren't so serious (just reading one more byte on the stack at snd_ak4114_create()). Also, the check of cache size was wrongly done by checking with sizeof() instead of ARRAY_SIZE(). Fixed this together. (And yes, hardcoded numbers are bad, but I keep the coding style as is for making it clear what this patch actually does.) Spotted by coverity among several CIDs, e.g. 711621. Signed-off-by: Takashi Iwai diff --git a/include/sound/ak4114.h b/include/sound/ak4114.h index 3ce69fd..52f02a6 100644 --- a/include/sound/ak4114.h +++ b/include/sound/ak4114.h @@ -170,7 +170,7 @@ struct ak4114 { void * private_data; unsigned int init: 1; spinlock_t lock; - unsigned char regmap[7]; + unsigned char regmap[6]; unsigned char txcsb[5]; struct snd_kcontrol *kctls[AK4114_CONTROLS]; struct snd_pcm_substream *playback_substream; @@ -189,7 +189,7 @@ struct ak4114 { int snd_ak4114_create(struct snd_card *card, ak4114_read_t *read, ak4114_write_t *write, - const unsigned char pgm[7], const unsigned char txcsb[5], + const unsigned char pgm[6], const unsigned char txcsb[5], void *private_data, struct ak4114 **r_ak4114); void snd_ak4114_reg_write(struct ak4114 *ak4114, unsigned char reg, unsigned char mask, unsigned char val); void snd_ak4114_reinit(struct ak4114 *ak4114); diff --git a/sound/i2c/other/ak4114.c b/sound/i2c/other/ak4114.c index 5bf4fca..15ae025 100644 --- a/sound/i2c/other/ak4114.c +++ b/sound/i2c/other/ak4114.c @@ -60,7 +60,7 @@ static void reg_dump(struct ak4114 *ak4114) printk(KERN_DEBUG "AK4114 REG DUMP:\n"); for (i = 0; i < 0x20; i++) - printk(KERN_DEBUG "reg[%02x] = %02x (%02x)\n", i, reg_read(ak4114, i), i < sizeof(ak4114->regmap) ? ak4114->regmap[i] : 0); + printk(KERN_DEBUG "reg[%02x] = %02x (%02x)\n", i, reg_read(ak4114, i), i < ARRAY_SIZE(ak4114->regmap) ? ak4114->regmap[i] : 0); } #endif @@ -81,7 +81,7 @@ static int snd_ak4114_dev_free(struct snd_device *device) int snd_ak4114_create(struct snd_card *card, ak4114_read_t *read, ak4114_write_t *write, - const unsigned char pgm[7], const unsigned char txcsb[5], + const unsigned char pgm[6], const unsigned char txcsb[5], void *private_data, struct ak4114 **r_ak4114) { struct ak4114 *chip; @@ -101,7 +101,7 @@ int snd_ak4114_create(struct snd_card *card, chip->private_data = private_data; INIT_DELAYED_WORK(&chip->work, ak4114_stats); - for (reg = 0; reg < 7; reg++) + for (reg = 0; reg < 6; reg++) chip->regmap[reg] = pgm[reg]; for (reg = 0; reg < 5; reg++) chip->txcsb[reg] = txcsb[reg]; @@ -142,7 +142,7 @@ static void ak4114_init_regs(struct ak4114 *chip) /* release reset, but leave powerdown */ reg_write(chip, AK4114_REG_PWRDN, (old | AK4114_RST) & ~AK4114_PWN); udelay(200); - for (reg = 1; reg < 7; reg++) + for (reg = 1; reg < 6; reg++) reg_write(chip, reg, chip->regmap[reg]); for (reg = 0; reg < 5; reg++) reg_write(chip, reg + AK4114_REG_TXCSB0, chip->txcsb[reg]); -- cgit v0.10.2