Bug 44721
| Summary: | Missing NULL check of the return value of snd_ctl_new1() in function snd_ac97_cvol_new() | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | RUC_Soft_Sec (rucsoftsec) |
| Component: | Sound(ALSA) | Assignee: | Jaroslav Kysela (perex) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | alan, bjorn, florian |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.39 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
A patch referencing this bug report has been merged in Linux v3.7-rc2: commit 733a48e5ae5bf28b046fad984d458c747cbb8c21 Author: Takashi Iwai <tiwai@suse.de> Date: Thu Oct 11 16:43:40 2012 +0200 ALSA: ac97 - Fix missing NULL check in snd_ac97_cvol_new() |
Function snd_ctl_new1() creates a control instance from the template, and will return the newly generated instance or NULL on failure, thus the return value of snd_ctl_new1() shall be checked against NULL before used. But there is no NULL checking after the call of snd_ctl_new1() in function snd_ac97_cvol_new()(defined at sound/pci/ac97/ac97_codec.c:1267). Related codes are as following. From the source code, we can see snd_ctl_new1() is called at line 1267 and 1272, and there is no checking of their return value. snd_ac97_cvol_new() @@sound/pci/ac97/ac97_codec.c:1263 1263 if (hi_max) { 1264 /* invert */ 1265 struct snd_kcontrol_new tmp = AC97_DOUBLE(name, reg, 8, 0, lo_max, 1); 1266 tmp.index = ac97->num; 1267 kctl = snd_ctl_new1(&tmp, ac97); 1268 } else { 1269 /* invert */ 1270 struct snd_kcontrol_new tmp = AC97_SINGLE(name, reg, 0, lo_max, 1); 1271 tmp.index = ac97->num; 1272 kctl = snd_ctl_new1(&tmp, ac97); 1273 } 1274 if (reg >= AC97_PHONE && reg <= AC97_PCM) 1275 set_tlv_db_scale(kctl, db_scale_5bit_12db_max); 1276 else 1277 set_tlv_db_scale(kctl, find_db_scale(lo_max)); 1278 err = snd_ctl_add(card, kctl);