diff options
| author | Mauro Carvalho Chehab <mchehab+huawei@kernel.org> | 2021-06-02 10:59:50 +0200 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab+huawei@kernel.org> | 2021-06-02 10:59:50 +0200 |
| commit | 80c1c54a2aa3c5177f73fc5d505668df56fb28b6 (patch) | |
| tree | d17e76cec3366309b27280a8a5b54935a3864fb6 /sound/usb/midi.c | |
| parent | 71c689dc2e732d4cb190aaf0edea73116b1611bd (diff) | |
| parent | 8124c8a6b35386f73523d27eacb71b5364a68c4c (diff) | |
Merge tag 'v5.13-rc4' into media_tree
Linux 5.13-rc4
* tag 'v5.13-rc4': (976 commits)
Linux 5.13-rc4
seccomp: Refactor notification handler to prepare for new semantics
selftests: kvm: fix overlapping addresses in memslot_perf_test
KVM: X86: Kill off ctxt->ud
KVM: X86: Fix warning caused by stale emulation context
KVM: X86: Use kvm_get_linear_rip() in single-step and #DB/#BP interception
Documentation: seccomp: Fix user notification documentation
MAINTAINERS: adjust to removing i2c designware platform data
perf vendor events powerpc: Fix eventcode of power10 JSON events
Revert "serial: 8250: 8250_omap: Fix possible interrupt storm"
i2c: s3c2410: fix possible NULL pointer deref on read message after write
i2c: mediatek: Disable i2c start_en and clear intr_stat brfore reset
perf stat: Fix error check for bpf_program__attach
cifs: change format of CIFS_FULL_KEY_DUMP ioctl
i2c: i801: Don't generate an interrupt on bus reset
i2c: mpc: implement erratum A-004447 workaround
powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers
powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers
dt-bindings: i2c: mpc: Add fsl,i2c-erratum-a004447 flag
i2c: busses: i2c-stm32f4: Remove incorrectly placed ' ' from function name
...
Diffstat (limited to 'sound/usb/midi.c')
| -rw-r--r-- | sound/usb/midi.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/sound/usb/midi.c b/sound/usb/midi.c index a10ac75969a8..2c01649c70f6 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1750,7 +1750,7 @@ static struct usb_midi_in_jack_descriptor *find_usb_in_jack_descriptor( struct usb_midi_in_jack_descriptor *injd = (struct usb_midi_in_jack_descriptor *)extra; - if (injd->bLength > 4 && + if (injd->bLength >= sizeof(*injd) && injd->bDescriptorType == USB_DT_CS_INTERFACE && injd->bDescriptorSubtype == UAC_MIDI_IN_JACK && injd->bJackID == jack_id) @@ -1773,7 +1773,7 @@ static struct usb_midi_out_jack_descriptor *find_usb_out_jack_descriptor( struct usb_midi_out_jack_descriptor *outjd = (struct usb_midi_out_jack_descriptor *)extra; - if (outjd->bLength > 4 && + if (outjd->bLength >= sizeof(*outjd) && outjd->bDescriptorType == USB_DT_CS_INTERFACE && outjd->bDescriptorSubtype == UAC_MIDI_OUT_JACK && outjd->bJackID == jack_id) @@ -1820,7 +1820,8 @@ static void snd_usbmidi_init_substream(struct snd_usb_midi *umidi, outjd = find_usb_out_jack_descriptor(hostif, jack_id); if (outjd) { sz = USB_DT_MIDI_OUT_SIZE(outjd->bNrInputPins); - iJack = *(((uint8_t *) outjd) + sz - sizeof(uint8_t)); + if (outjd->bLength >= sz) + iJack = *(((uint8_t *) outjd) + sz - sizeof(uint8_t)); } } else { /* and out jacks connect to ins */ @@ -1956,8 +1957,12 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi, ms_ep = find_usb_ms_endpoint_descriptor(hostep); if (!ms_ep) continue; + if (ms_ep->bLength <= sizeof(*ms_ep)) + continue; if (ms_ep->bNumEmbMIDIJack > 0x10) continue; + if (ms_ep->bLength < sizeof(*ms_ep) + ms_ep->bNumEmbMIDIJack) + continue; if (usb_endpoint_dir_out(ep)) { if (endpoints[epidx].out_ep) { if (++epidx >= MIDI_MAX_ENDPOINTS) { |