ALSA: asihpi: a couple array out of bounds issues

These ->put() functions are called from snd_ctl_elem_write() with user
supplied data.  snd_asihpi_tuner_band_put() is missing a limit check and
the check in snd_asihpi_clksrc_put() can underflow.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/pci/asihpi/asihpi.c b/sound/pci/asihpi/asihpi.c
index dc632cdc38706ec74c18978739e0819257e1d3a8..5f2acd35dcb9f4ccf26d6263e8fcba1f6a984683 100644 (file)
--- a/sound/pci/asihpi/asihpi.c
+++ b/sound/pci/asihpi/asihpi.c
@@ -1913,6 +1913,7 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol,
        struct snd_card_asihpi *asihpi = snd_kcontrol_chip(kcontrol);
        */
        u32 h_control = kcontrol->private_value;
+       unsigned int idx;
        u16 band;
        u16 tuner_bands[HPI_TUNER_BAND_LAST];
        u32 num_bands = 0;
@@ -1920,7 +1921,10 @@ static int snd_asihpi_tuner_band_put(struct snd_kcontrol *kcontrol,
        num_bands = asihpi_tuner_band_query(kcontrol, tuner_bands,
                        HPI_TUNER_BAND_LAST);
 
-       band = tuner_bands[ucontrol->value.enumerated.item[0]];
+       idx = ucontrol->value.enumerated.item[0];
+       if (idx >= ARRAY_SIZE(tuner_bands))
+               idx = ARRAY_SIZE(tuner_bands) - 1;
+       band = tuner_bands[idx];
        hpi_handle_error(hpi_tuner_set_band(h_control, band));
 
        return 1;
@@ -2383,7 +2387,8 @@ static int snd_asihpi_clksrc_put(struct snd_kcontrol *kcontrol,
        struct snd_card_asihpi *asihpi =
                        (struct snd_card_asihpi *)(kcontrol->private_data);
        struct clk_cache *clkcache = &asihpi->cc;
-       int change, item;
+       unsigned int item;
+       int change;
        u32 h_control = kcontrol->private_value;
 
        change = 1;