sound: aedsp16: Buffer overflow

DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
including terminating null.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/oss/aedsp16.c b/sound/oss/aedsp16.c
index 3ee9900..35b5912 100644 (file)
--- a/sound/oss/aedsp16.c
+++ b/sound/oss/aedsp16.c
@@ -325,8 +325,9 @@
 /*
  * Size of character arrays that store name and version of sound card
  */
-#define CARDNAMELEN 15         /* Size of the card's name in chars     */
-#define CARDVERLEN  2          /* Size of the card's version in chars  */
+#define CARDNAMELEN    15      /* Size of the card's name in chars     */
+#define CARDVERLEN     10      /* Size of the card's version in chars  */
+#define CARDVERDIGITS  2       /* Number of digits in the version      */
 
 #if defined(CONFIG_SC6600)
 /*
@@ -410,7 +411,7 @@
 
 static int      soft_cfg __initdata = 0;       /* bitmapped config */
 static int      soft_cfg_mss __initdata = 0;   /* bitmapped mss config */
-static int      ver[CARDVERLEN] __initdata = {0, 0};   /* DSP Ver:
+static int      ver[CARDVERDIGITS] __initdata = {0, 0};        /* DSP Ver:
                                                   hi->ver[0] lo->ver[1] */
 
 #if defined(CONFIG_SC6600)
@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
         * string is finished.
         */
                ver[len++] = ret;
-         } while (len < CARDVERLEN);
+         } while (len < CARDVERDIGITS);
        sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
 
        DBG(("success.\n"));