dsp: update size check for get VI param function
In afe_get_cal_sp_th_vi_param functions, data size
should check with size of cal_type_header. The check
is not present which might lead to out of bounds access.
Update condition to ensure data_size is greater than
or equal to size of cal_type_header.
Change-Id: Ib2904f53243f4fb858131511812fd90de32b4656
Signed-off-by: Kunlei Zhang <kunleiz@codeaurora.org>
diff --git a/dsp/q6afe.c b/dsp/q6afe.c
index 88124df..7f594f2 100644
--- a/dsp/q6afe.c
+++ b/dsp/q6afe.c
@@ -10160,6 +10160,7 @@
if (cal_data == NULL ||
data_size > sizeof(*cal_data) ||
+ data_size < sizeof(cal_data->cal_hdr) ||
this_afe.cal_data[AFE_FB_SPKR_PROT_TH_VI_CAL] == NULL)
return 0;
@@ -10188,7 +10189,8 @@
pr_debug("%s: cal_type = %d\n", __func__, cal_type);
if (this_afe.cal_data[AFE_FB_SPKR_PROT_V4_EX_VI_CAL] == NULL ||
cal_data == NULL ||
- data_size != sizeof(*cal_data))
+ data_size > sizeof(*cal_data) ||
+ data_size < sizeof(cal_data->cal_hdr))
goto done;
mutex_lock(&this_afe.cal_data[AFE_FB_SPKR_PROT_V4_EX_VI_CAL]->lock);
@@ -10255,7 +10257,8 @@
pr_debug("%s: cal_type = %d\n", __func__, cal_type);
if (this_afe.cal_data[AFE_FB_SPKR_PROT_EX_VI_CAL] == NULL ||
cal_data == NULL ||
- data_size != sizeof(*cal_data))
+ data_size > sizeof(*cal_data) ||
+ data_size < sizeof(cal_data->cal_hdr))
goto done;
mutex_lock(&this_afe.cal_data[AFE_FB_SPKR_PROT_EX_VI_CAL]->lock);