Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / opensource / audio-kernel / 94cae44246baed3ef282d9afc3fb2d4a1e900d03^1..94cae44246baed3ef282d9afc3fb2d4a1e900d03 / .
commit94cae44246baed3ef282d9afc3fb2d4a1e900d03[log] [tgz]
authorLinux Build Service Account <lnxbuild@localhost>Wed Apr 17 15:42:30 2019 -0700
committerLinux Build Service Account <lnxbuild@localhost>Wed Apr 17 15:42:30 2019 -0700
tree65d6d74785330495459c3220ab36684682d7fa39
parentdafbc7696cf683bba6050631605d0ea083355078 [diff]
parentf2384b9d3857f3db6d8120db6914d8b8b800a978 [diff]
Merge f2384b9d3857f3db6d8120db6914d8b8b800a978 on remote branch

Change-Id: Ie873924b52853868e17700cdf4028cc6cf8872f9

diff --git a/dsp/q6usm.c b/dsp/q6usm.c
index 1ed74a9..fc76dc3 100644
--- a/dsp/q6usm.c
+++ b/dsp/q6usm.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2017, 2019, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -502,6 +502,11 @@
 	uint32_t token;
 	uint32_t *payload = data->payload;
 
+	if (data->payload_size < (2 * sizeof(uint32_t))) {
+		pr_err("%s: payload has invalid size[%d]\n", __func__,
+		       data->payload_size);
+		return -EINVAL;
+	}
 	pr_debug("%s: ptr0[0x%x]; ptr1[0x%x]; opcode[0x%x]\n",
 		 __func__, payload[0], payload[1], data->opcode);
 	pr_debug("%s: token[0x%x]; payload_size[%d]; src[%d]; dest[%d];\n",
@@ -563,6 +568,11 @@
 	}
 
 	if (data->opcode == APR_BASIC_RSP_RESULT) {
+		if (data->payload_size < (2 * sizeof(uint32_t))) {
+			pr_err("%s: payload has invalid size[%d]\n", __func__,
+			       data->payload_size);
+			return -EINVAL;
+		}
 		/* status field check */
 		if (payload[1]) {
 			pr_err("%s: wrong response[%d] on cmd [%d]\n",
@@ -626,6 +636,14 @@
 
 		opcode = Q6USM_EVENT_READ_DONE;
 		spin_lock_irqsave(&port->dsp_lock, dsp_flags);
+		if (data->payload_size <
+		    (sizeof(uint32_t)*(READDONE_IDX_STATUS + 1))) {
+			pr_err("%s: Invalid payload size for READDONE[%d]\n",
+			       __func__, data->payload_size);
+			spin_unlock_irqrestore(&port->dsp_lock,
+					       dsp_flags);
+			return -EINVAL;
+		}
 		if (payload[READDONE_IDX_STATUS]) {
 			pr_err("%s: wrong READDONE[%d]; token[%d]\n",
 			       __func__,
@@ -672,6 +690,12 @@
 		struct us_port_data *port = &usc->port[IN];
 
 		opcode = Q6USM_EVENT_WRITE_DONE;
+		if (data->payload_size <
+		    (sizeof(uint32_t)*(WRITEDONE_IDX_STATUS + 1))) {
+			pr_err("%s: Invalid payload size for WRITEDONE[%d]\n",
+			       __func__, data->payload_size);
+			return -EINVAL;
+		}
 		if (payload[WRITEDONE_IDX_STATUS]) {
 			pr_err("%s: wrong WRITEDONE_IDX_STATUS[%d]\n",
 			       __func__,

diff --git a/dsp/q6voice.c b/dsp/q6voice.c
index e5b1139..742f18d 100644
--- a/dsp/q6voice.c
+++ b/dsp/q6voice.c

@@ -7839,6 +7839,11 @@
 
 		cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data;
 		if (cvs_voc_pkt != NULL &&  common.mvs_info.ul_cb != NULL) {
+			if (v->shmem_info.sh_buf.buf[1].size <
+			    ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) {
+				pr_err("%s: invalid voc pkt size\n", __func__);
+				return -EINVAL;
+			}
 			/* cvs_voc_pkt[0] contains tx timestamp */
 			common.mvs_info.ul_cb((uint8_t *)&cvs_voc_pkt[3],
 					      cvs_voc_pkt[2],