Multiple integer overflows in the snd_ctl_new function in
sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929
allow local users to cause a denial of service (heap memory corruption) or
possibly have unspecified other impact via a crafted (1)
SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.
Dan Rosenberg discovered that the Sound subsystem did not correctly
validate parameters. A local attacker could exploit this to crash the
system, leading to a denial of service.
Updated: 2015-10-17 03:35:47 UTC (commit 10086)