From 9d26f571df4de4b8991aeb30c4ccc7b0a30f0ec7 Mon Sep 17 00:00:00 2001 From: Artemii Karasev Date: Tue, 7 Feb 2023 18:20:26 +0500 Subject: ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() commit 6a32425f953b955b4ff82f339d01df0b713caa5d upstream. snd_emux_xg_control() can be called with an argument 'param' greater than size of 'control' array. It may lead to accessing 'control' array at a wrong index. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Artemii Karasev Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Link: https://lore.kernel.org/r/20230207132026.2870-1-karasev@ispras.ru Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/synth/emux/emux_nrpn.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'sound/synth') diff --git a/sound/synth/emux/emux_nrpn.c b/sound/synth/emux/emux_nrpn.c index 8056422ed7c5..0d6b82ae2955 100644 --- a/sound/synth/emux/emux_nrpn.c +++ b/sound/synth/emux/emux_nrpn.c @@ -349,6 +349,9 @@ int snd_emux_xg_control(struct snd_emux_port *port, struct snd_midi_channel *chan, int param) { + if (param >= ARRAY_SIZE(chan->control)) + return -EINVAL; + return send_converted_effect(xg_effects, ARRAY_SIZE(xg_effects), port, chan, param, chan->control[param], -- cgit v1.2.3