ASoC: 88pm860x: array overflow in snd_soc_put_volsw_2r_st() commit d967967e8d1116fb38bad25e58714b5dddd03cca upstream. This is called from snd_ctl_elem_write() with user supplied data so we need to add some bounds checking. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mark Brown <broonie@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 6b0dcab1d809ad6aab962c8df6ad4cd4e5986fc3 [log] [tgz]
author: Dan Carpenter <dan.carpenter@oracle.com> Fri Sep 13 10:52:49 2013 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Sun Oct 13 15:42:48 2013 -0700
tree: 6f48343d66d6153cc82eb38749a217e0e155f919
parent: e504aeaec89c4b5c0e8617d59f937ae990297743 [diff] [blame]
diff --git a/sound/soc/codecs/88pm860x-codec.c b/sound/soc/codecs/88pm860x-codec.c
index 9fd3b68..3ff2b94 100644
--- a/sound/soc/codecs/88pm860x-codec.c
+++ b/sound/soc/codecs/88pm860x-codec.c

@@ -351,6 +351,9 @@
 	val = ucontrol->value.integer.value[0];
 	val2 = ucontrol->value.integer.value[1];
 
+	if (val >= ARRAY_SIZE(st_table) || val2 >= ARRAY_SIZE(st_table))
+		return -EINVAL;
+
 	err = snd_soc_update_bits(codec, reg, 0x3f, st_table[val].m);
 	if (err < 0)
 		return err;
commit	6b0dcab1d809ad6aab962c8df6ad4cd4e5986fc3	[log] [tgz]
author	Dan Carpenter <dan.carpenter@oracle.com>	Fri Sep 13 10:52:49 2013 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Sun Oct 13 15:42:48 2013 -0700
tree	6f48343d66d6153cc82eb38749a217e0e155f919
parent	e504aeaec89c4b5c0e8617d59f937ae990297743 [diff] [blame]