[hardy, maverick/ti-omap4 CVE 1/1] sound/oss/opl3: validate voice and channel indexes

[Andy Whitcroft]

From: Dan Rosenberg <drosenberg at vsecurity.com>

User-controllable indexes for voice and channel values may cause reading
and writing beyond the bounds of their respective arrays, leading to
potentially exploitable memory corruption.  Validate these indexes.

Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
Cc: stable at kernel.org
Signed-off-by: Takashi Iwai <tiwai at suse.de>

(cherry picked from commit 4d00135a680727f6c3be78f8befaac009030e4df)
CVE-2011-1477
BugLink: http://bugs.launchpad.net/bugs/925335
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 sound/oss/opl3.c |   15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
index 7781c13..c828a34 100644
--- a/sound/oss/opl3.c
+++ b/sound/oss/opl3.c
@@ -848,6 +848,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr,
 
 static void opl3_panning(int dev, int voice, int value)
 {
+
+	if (voice < 0 || voice >= devc->nr_voice)
+		return;
+
 	devc->voc[voice].panning = value;
 }
 
@@ -1065,8 +1069,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info
 
 static void opl3_setup_voice(int dev, int voice, int chn)
 {
-	struct channel_info *info =
-	&synth_devs[dev]->chn_info[chn];
+	struct channel_info *info;
+
+	if (voice < 0 || voice >= devc->nr_voice)
+		return;
+
+	if (chn < 0 || chn > 15)
+		return;
+
+	info = &synth_devs[dev]->chn_info[chn];
 
 	opl3_set_instr(dev, voice, info->pgm_num);
 
-- 
1.7.8.3