mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-10 08:24:20 -05:00
48 lines
1.4 KiB
Diff
48 lines
1.4 KiB
Diff
|
From 077614c9f2b9f9d062fed66e3ae7669937ea6b85 Mon Sep 17 00:00:00 2001
|
||
|
From: Xiaojun Sang <xsang@codeaurora.org>
|
||
|
Date: Fri, 04 Nov 2016 14:35:58 +0800
|
||
|
Subject: [PATCH] ASoC: soc: qdsp6: prevent risk of buffer overflow
|
||
|
|
||
|
In case of large value for bufcnt,
|
||
|
cmd_size may overflow. Buffer size allocated by cmd_size might
|
||
|
be not as expected.
|
||
|
Possible buffer overflow could happen.
|
||
|
|
||
|
Backport reference:
|
||
|
* Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
|
||
|
* CRs-Fixed: 1084210
|
||
|
|
||
|
Change-Id: I93f820e0344bfa05dee6a3e83d84ef688e23f761
|
||
|
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
|
||
|
Signed-off-by: Adrian DC <radian.dc@gmail.com>
|
||
|
---
|
||
|
|
||
|
diff --git a/sound/soc/msm/qdsp6/q6asm.c b/sound/soc/msm/qdsp6/q6asm.c
|
||
|
index 2cde92a..c3bcdcd 100644
|
||
|
--- a/sound/soc/msm/qdsp6/q6asm.c
|
||
|
+++ b/sound/soc/msm/qdsp6/q6asm.c
|
||
|
@@ -2893,7 +2893,7 @@
|
||
|
void *payload = NULL;
|
||
|
int rc = 0;
|
||
|
int i = 0;
|
||
|
- int cmd_size = 0;
|
||
|
+ uint32_t cmd_size = 0;
|
||
|
|
||
|
if (!ac || ac->apr == NULL || this_mmap.apr == NULL) {
|
||
|
pr_err("APR handle NULL\n");
|
||
|
@@ -2901,6 +2901,14 @@
|
||
|
}
|
||
|
pr_debug("%s: Session[%d]\n", __func__, ac->session);
|
||
|
|
||
|
+ if (bufcnt > (UINT_MAX
|
||
|
+ - sizeof(struct asm_stream_cmd_memory_map_regions))
|
||
|
+ / sizeof(struct asm_memory_map_regions)) {
|
||
|
+ pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
|
||
|
+ __func__, bufcnt);
|
||
|
+ return -EINVAL;
|
||
|
+ }
|
||
|
+
|
||
|
cmd_size = sizeof(struct asm_stream_cmd_memory_map_regions)
|
||
|
+ sizeof(struct asm_memory_map_regions) * bufcnt;
|
||
|
|