Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 9d902c8573ccd558618605540ba4ed3c19fc52dc^! / .
commit9d902c8573ccd558618605540ba4ed3c19fc52dc[log] [tgz]
authorDan Carpenter <dan.carpenter@oracle.com>Wed Sep 05 15:32:18 2012 +0300
committerKrishnankutty Kolathappilly <kkolat@codeaurora.org>Fri Nov 01 10:09:00 2013 -0700
tree49d93a29aca12cf9821c4557d9add2514b8f91d3
parentb3602d29e1c22b6f9141a44601f351a065fd5610 [diff]
ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()

These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.

Change-Id: Icf5a66c48d50b99907574b13450e9ed7ce7353f8
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index eb60cb8..68fe02c 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c

@@ -407,6 +407,10 @@
 	unsigned int buffer_size;
 	void *buffer;
 
+	if (params->buffer.fragment_size == 0 ||
+	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+		return -EINVAL;
+
 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
 	if (stream->ops->copy) {
 		buffer = NULL;