From 444c1953d496d272208902ff7010dc70d1f887f0 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <error27@gmail.com>
Date: Sun, 3 Jan 2010 12:39:27 +0100
Subject: sound: oss: off by one bug

The problem is that in the original code sound_nblocks could go up to 1024
which would be an array overflow.

This was found with a static checker and has been compile tested only.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
---
 sound/oss/soundcard.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sound/oss/soundcard.c')

diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
index 61aaedae6b7e..c62530943888 100644
--- a/sound/oss/soundcard.c
+++ b/sound/oss/soundcard.c
@@ -56,7 +56,7 @@
 /*
  * Table for permanently allocated memory (used when unloading the module)
  */
-void *          sound_mem_blocks[1024];
+void *          sound_mem_blocks[MAX_MEM_BLOCKS];
 int             sound_nblocks = 0;
 
 /* Persistent DMA buffers */
@@ -574,7 +574,7 @@ static int __init oss_init(void)
 				      NULL, "%s%d", dev_list[i].name, j);
 	}
 
-	if (sound_nblocks >= 1024)
+	if (sound_nblocks >= MAX_MEM_BLOCKS - 1)
 		printk(KERN_ERR "Sound warning: Deallocation table was too small.\n");
 	
 	return 0;
-- 
cgit v1.2.3-59-g8ed1b