pcm: fix buffer overflow in snd_pcm_chmap_print()

The size argument is wrong for one of the snprintf() calls in
snd_pcm_chmap_print(), allowing an overflow to happen (the user-provided
buffer may be written data up to 2x its actual size).

Seen in an user report here: http://trac.kodi.tv/ticket/15641

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c
index baa47c73fa4df725c1fd2d2945c62aa4a81ecb6d..e74e02fc568f14d4e8006d9d5ab5cb1130eeee68 100644 (file)
--- a/src/pcm/pcm.c
+++ b/src/pcm/pcm.c
@@ -7621,7 +7621,7 @@ int snd_pcm_chmap_print(const snd_pcm_chmap_t *map, size_t maxlen, char *buf)
                                return -ENOMEM;
                }
                if (map->pos[i] & SND_CHMAP_DRIVER_SPEC)
-                       len += snprintf(buf + len, maxlen, "%d", p);
+                       len += snprintf(buf + len, maxlen - len, "%d", p);
                else {
                        const char *name = chmap_names[p];
                        if (name)