[PATCH 4/9] [UBUNTU:sound/drivers/opl3] Fix use after free() in sound/drivers/opl3/opl3_{oss, seq}.c

crimsun at fungus.sh.nu crimsun at fungus.sh.nu
Tue Mar 28 08:17:54 UTC 2006 

Subject: [PATCH 4/9] [UBUNTU:sound/drivers/opl3] Fix use after free() in sound/drivers/opl3/opl3_{oss,seq}.c

UpstreamStatus: Applied, backported from http://kernel.org/git/?p=linux/kernel/git/perex/alsa-current.git;a=commitdiff;h=5e315e9248329c53a8932b71532c28240125e3c4

This patch from Dave Jones fixes Coverity #95[45]: Don't read from
free()d memory; use the return value properly; don't register the
device if creating the port failed.

Signed-off-by: Daniel T Chen <crimsun at ubuntu.com>

---

 sound/drivers/opl3/opl3_oss.c |   12 +++++++-----
 sound/drivers/opl3/opl3_seq.c |   12 +++++++++---
 2 files changed, 16 insertions(+), 8 deletions(-)

f064216b18c909dd490832e50554eb8d60fb02e9
diff --git a/sound/drivers/opl3/opl3_oss.c b/sound/drivers/opl3/opl3_oss.c
index d0fddf8..4802a7d 100644
--- a/sound/drivers/opl3/opl3_oss.c
+++ b/sound/drivers/opl3/opl3_oss.c
@@ -104,8 +104,10 @@ static int snd_opl3_oss_create_port(opl3
 							  voices, voices,
 							  name);
 	if (opl3->oss_chset->port < 0) {
+		int port;
+		port = opl3->oss_chset->port;
 		snd_midi_channel_free_set(opl3->oss_chset);
-		return opl3->oss_chset->port;
+		return port;
 	}
 	return 0;
 }
@@ -136,10 +138,10 @@ void snd_opl3_init_seq_oss(opl3_t *opl3,
 	arg->oper = oss_callback;
 	arg->private_data = opl3;
 
-	snd_opl3_oss_create_port(opl3);
-
-	/* register to OSS synth table */
-	snd_device_register(opl3->card, dev);
+	if (snd_opl3_oss_create_port(opl3)) {
+		/* register to OSS synth table */
+		snd_device_register(opl3->card, dev);
+	}
 }
 
 /* unregister */
diff --git a/sound/drivers/opl3/opl3_seq.c b/sound/drivers/opl3/opl3_seq.c
index 136964b..673a53f 100644
--- a/sound/drivers/opl3/opl3_seq.c
+++ b/sound/drivers/opl3/opl3_seq.c
@@ -207,8 +207,10 @@ static int snd_opl3_synth_create_port(op
 						      16, voices,
 						      name);
 	if (opl3->chset->port < 0) {
+		int port;
+		port = opl3->chset->port;
 		snd_midi_channel_free_set(opl3->chset);
-		return opl3->chset->port;
+		return port;
 	}
 	return 0;
 }
@@ -218,7 +220,7 @@ static int snd_opl3_synth_create_port(op
 static int snd_opl3_seq_new_device(snd_seq_device_t *dev)
 {
 	opl3_t *opl3;
-	int client;
+	int client, err;
 	snd_seq_client_callback_t callbacks;
 	snd_seq_client_info_t cinfo;
 	int opl_ver;
@@ -248,7 +250,11 @@ static int snd_opl3_seq_new_device(snd_s
 	sprintf(cinfo.name, "OPL%i FM synth", opl_ver);
 	snd_seq_kernel_client_ctl(client, SNDRV_SEQ_IOCTL_SET_CLIENT_INFO, &cinfo);
 
-	snd_opl3_synth_create_port(opl3);
+	if ((err = snd_opl3_synth_create_port(opl3)) < 0) {
+		snd_seq_delete_kernel_client(client);
+		opl3->seq_client = -1;
+		return err;
+	}
 
 	/* initialize instrument list */
 	opl3->ilist = snd_seq_instr_list_new();
-- 
1.1.3


-- 
Daniel T. Chen            crimsun at ubuntu.com
GPG key:   www.sh.nu/~crimsun/pubkey.gpg.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20060328/c7c5ea19/attachment.sig>

More information about the kernel-team mailing list