ALSA: asihpi: Fix potential OOB array access at reading cache

find_control() to retrieve a cached info accesses the array with the
given index blindly, which may lead to an OOB array access.
Add a sanity check for avoiding it.

Link: https://sashiko.dev/#/patchset/20260511230121.28606-1-rosenp%40gmail.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260515085606.242284-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/pci/asihpi/hpicmn.c b/sound/pci/asihpi/hpicmn.c
index d846777e7462b301f6fc3c3b11dc81174099d3f1..19f0da2e650149081d3270603ab2e7c9b3d2407f 100644 (file)
--- a/sound/pci/asihpi/hpicmn.c
+++ b/sound/pci/asihpi/hpicmn.c
@@ -276,6 +276,12 @@ static short find_control(u16 control_index,
                return 0;
        }
 
+       if (control_index >= p_cache->control_count) {
+               HPI_DEBUG_LOG(VERBOSE, "control_index out of bounce %d\n",
+                       control_index);
+               return 0;
+       }
+
        *pI = p_cache->p_info[control_index];
        if (!*pI) {
                HPI_DEBUG_LOG(VERBOSE, "Uncached Control %d\n",