ALSA: dice: fix array limits in dice_proc_read() The array limits are supposed to be in units of u32 instead of in bytes. The current code has a potential array overflow. Fixes: c614475b0ea9 ('ALSA: dice: add a proc file to show device information') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>

commit: 4d6ff250857a8b5f8e33ea62ff16f165085f8655 [log] [tgz]
author: Dan Carpenter <dan.carpenter@oracle.com> Fri Nov 29 11:14:09 2013 +0300
committer: Takashi Iwai <tiwai@suse.de> Fri Nov 29 10:23:04 2013 +0100
tree: d9302124d8aed364304691841a93ec156e563295
parent: eb82594b75b0cf54c667189e061934b7c49b5d42 [diff]
diff --git a/sound/firewire/dice.c b/sound/firewire/dice.c
index 57bcd31..c0aa649 100644
--- a/sound/firewire/dice.c
+++ b/sound/firewire/dice.c

@@ -1019,7 +1019,7 @@
 
 	if (dice_proc_read_mem(dice, &tx_rx_header, sections[2], 2) < 0)
 		return;
-	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.tx));
+	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.tx) / 4);
 	for (stream = 0; stream < tx_rx_header.number; ++stream) {
 		if (dice_proc_read_mem(dice, &buf.tx, sections[2] + 2 +
 				       stream * tx_rx_header.size,
@@ -1045,7 +1045,7 @@
 
 	if (dice_proc_read_mem(dice, &tx_rx_header, sections[4], 2) < 0)
 		return;
-	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.rx));
+	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.rx) / 4);
 	for (stream = 0; stream < tx_rx_header.number; ++stream) {
 		if (dice_proc_read_mem(dice, &buf.rx, sections[4] + 2 +
 				       stream * tx_rx_header.size,
commit	4d6ff250857a8b5f8e33ea62ff16f165085f8655	[log] [tgz]
author	Dan Carpenter <dan.carpenter@oracle.com>	Fri Nov 29 11:14:09 2013 +0300
committer	Takashi Iwai <tiwai@suse.de>	Fri Nov 29 10:23:04 2013 +0100
tree	d9302124d8aed364304691841a93ec156e563295
parent	eb82594b75b0cf54c667189e061934b7c49b5d42 [diff]