ALSA: hda - possible read past array alc88[02]_parse_auto_config()

The test of index `i' is after the read - too late - and
unsafe: if snd_hda_get_connections() fails in the last
iteration a read beyond the array is possible.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index d1ccb6e..daf6975 100644 (file)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4684,9 +4684,9 @@ static int alc880_parse_auto_config(struct hda_codec *codec)
                        spec->multiout.dig_out_nid = dig_nid;
                else {
                        spec->multiout.slave_dig_outs = spec->slave_dig_outs;
-                       spec->slave_dig_outs[i - 1] = dig_nid;
-                       if (i == ARRAY_SIZE(spec->slave_dig_outs) - 1)
+                       if (i >= ARRAY_SIZE(spec->slave_dig_outs) - 1)
                                break;
+                       spec->slave_dig_outs[i - 1] = dig_nid;
                }
        }
        if (spec->autocfg.dig_in_pin)
@@ -9813,9 +9813,9 @@ static int alc882_parse_auto_config(struct hda_codec *codec)
                        spec->multiout.dig_out_nid = dig_nid;
                else {
                        spec->multiout.slave_dig_outs = spec->slave_dig_outs;
-                       spec->slave_dig_outs[i - 1] = dig_nid;
-                       if (i == ARRAY_SIZE(spec->slave_dig_outs) - 1)
+                       if (i >= ARRAY_SIZE(spec->slave_dig_outs) - 1)
                                break;
+                       spec->slave_dig_outs[i - 1] = dig_nid;
                }
        }
        if (spec->autocfg.dig_in_pin)