DivestOS/Patches/Linux_CVEs/CVE-2016-5859/3.18/0002.patch

52 lines
1.9 KiB
Diff
Raw Normal View History

From 97fdb441a9fb330a76245e473bc1a2155c809ebe Mon Sep 17 00:00:00 2001
From: Sharad Sangle <assangle@codeaurora.org>
Date: Tue, 13 Dec 2016 14:35:39 +0530
Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
To avoid buffer overflow, validate input length used to
fetch visualizer data.
CRs-fixed: 1096672
Change-Id: I224bc2f20d94182713c565972fb0bd52cad6f3fd
Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
---
sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
index bb0f890..5866e46 100644
--- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2014, 2016, The Linux Foundation. All rights reserved.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
* only version 2 as published by the Free Software Foundation.
@@ -18,6 +18,10 @@
#include "msm-dolby-dap-config.h"
+#ifndef DOLBY_PARAM_VCNB_MAX_LENGTH
+#define DOLBY_PARAM_VCNB_MAX_LENGTH 40
+#endif
+
/* dolby endp based parameters */
struct dolby_dap_endp_params_s {
int device;
@@ -896,6 +900,11 @@ int msm_dolby_dap_param_visualizer_control_get(struct snd_kcontrol *kcontrol,
uint32_t param_payload_len =
DOLBY_PARAM_PAYLOAD_SIZE * sizeof(uint32_t);
int port_id, copp_idx, idx;
+ if (length > DOLBY_PARAM_VCNB_MAX_LENGTH || length <= 0) {
+ pr_err("%s Incorrect VCNB length", __func__);
+ ucontrol->value.integer.value[0] = 0;
+ return -EINVAL;
+ }
for (idx = 0; idx < AFE_MAX_PORTS; idx++) {
port_id = dolby_dap_params_states.port_id[idx];
copp_idx = dolby_dap_params_states.copp_idx[idx];
--
cgit v1.1