From 537153aaafa94efe77efd566eada7dbab9fb76dd Mon Sep 17 00:00:00 2001 From: wangdicheng Date: Wed, 3 Jun 2026 17:11:00 +0800 Subject: [PATCH] ALSA: usb-audio: qcom: Use snprintf for mixer control name formatting The current code uses sprintf() to format control names without bounds checking, which could lead to buffer overflow if PCM index is large. Replace sprintf with snprintf to ensure buffer safety. The ctl_name buffer is 48 bytes, and the formatted string could exceed this with large PCM index values. Using snprintf with sizeof(ctl_name) prevents potential buffer overflow. Signed-off-by: wangdicheng Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20260603091102.231370-2-wangdich9700@163.com --- sound/usb/qcom/mixer_usb_offload.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/usb/qcom/mixer_usb_offload.c b/sound/usb/qcom/mixer_usb_offload.c index 2adeb64f4d33f..48e55d5872d50 100644 --- a/sound/usb/qcom/mixer_usb_offload.c +++ b/sound/usb/qcom/mixer_usb_offload.c @@ -128,7 +128,7 @@ int snd_usb_offload_create_ctl(struct snd_usb_audio *chip, struct device *bedev) */ chip_kctl->private_value = as->pcm_index | chip->card->number << 16; - sprintf(ctl_name, "USB Offload Playback Card Route PCM#%d", + snprintf(ctl_name, sizeof(ctl_name), "USB Offload Playback Card Route PCM#%d", as->pcm_index); chip_kctl->name = ctl_name; ret = snd_ctl_add(chip->card, snd_ctl_new1(chip_kctl, bedev)); @@ -143,7 +143,7 @@ int snd_usb_offload_create_ctl(struct snd_usb_audio *chip, struct device *bedev) */ chip_kctl->private_value = as->pcm_index | chip->card->number << 16; - sprintf(ctl_name, "USB Offload Playback PCM Route PCM#%d", + snprintf(ctl_name, sizeof(ctl_name), "USB Offload Playback PCM Route PCM#%d", as->pcm_index); chip_kctl->name = ctl_name; ret = snd_ctl_add(chip->card, snd_ctl_new1(chip_kctl, bedev)); -- 2.47.3