SoC: msm: Add Buffer overflow check
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
CRs-Fixed: 563086
Signed-off-by: Asish Bhattacharya <asishb@codeaurora.org>
Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
(cherry picked from commit 7e09949355b2dac9aac8bb414037ccaca3c68d86)
Signed-off-by: Pavan Chikkala <pavanc@codeaurora.org>
Change-Id: I4da774740c71b97dc2e4fd16c78bf065ad457690
Signed-off-by: Pavan Chikkala <pavanc@codeaurora.org>
Signed-off-by: Divya Narayanan Poojary <dnaray@codeaurora.org>
diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils.c b/arch/arm/mach-msm/qdsp6v2/audio_utils.c
index 109e120..7ccc0e3 100644
--- a/arch/arm/mach-msm/qdsp6v2/audio_utils.c
+++ b/arch/arm/mach-msm/qdsp6v2/audio_utils.c
@@ -24,9 +24,9 @@
#include "audio_utils.h"
#define MIN_FRAME_SIZE 1536
-#define NUM_FRAMES 5
-#define META_SIZE (sizeof(struct meta_out_dsp))
-#define FRAME_SIZE (1 + ((MIN_FRAME_SIZE + META_SIZE) * NUM_FRAMES))
+#define NUM_FRAMES 5
+#define META_SIZE (sizeof(struct meta_out_dsp))
+#define FRAME_SIZE (1 + ((MIN_FRAME_SIZE + META_SIZE) * NUM_FRAMES))
static int audio_in_pause(struct q6audio_in *audio)
{
diff --git a/sound/soc/msm/qdsp6/q6asm.c b/sound/soc/msm/qdsp6/q6asm.c
index 659d5a2..8ecb147 100644
--- a/sound/soc/msm/qdsp6/q6asm.c
+++ b/sound/soc/msm/qdsp6/q6asm.c
@@ -57,6 +57,7 @@
#define OUT_BUFFER_SIZE 56
#define IN_BUFFER_SIZE 24
#endif
+#define FRAME_NUM (8)
static DEFINE_MUTEX(session_lock);
/* session id: 0 reserved */
@@ -509,6 +510,9 @@
pr_debug("%s: buffer already allocated\n", __func__);
return 0;
}
+
+ if (bufcnt != FRAME_NUM)
+ goto fail;
mutex_lock(&ac->cmd_lock);
buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt),
GFP_KERNEL);