mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-25 14:56:12 -05:00
92 lines
3.5 KiB
Diff
92 lines
3.5 KiB
Diff
|
From 38b6131d78cecec5d970230aeee3cef485103d82 Mon Sep 17 00:00:00 2001
|
||
|
From: Fred Oh <fred@codeaurora.org>
|
||
|
Date: Thu, 3 Oct 2013 20:03:38 -0700
|
||
|
Subject: ASoC: msm: q6: check upper bounds when copy ac3 params
|
||
|
|
||
|
Although AC3 maximum param size is fixed, better check upper bounds
|
||
|
when copy user data. It might cause overflow, possibly cause memory
|
||
|
corruption.
|
||
|
|
||
|
Change-Id: Iaded762f774c608e48e685d92204fc7516aa3063
|
||
|
Signed-off-by: Fred Oh <fred@codeaurora.org>
|
||
|
---
|
||
|
sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 30 ++++++++++++++++++++++--------
|
||
|
1 file changed, 22 insertions(+), 8 deletions(-)
|
||
|
|
||
|
diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
|
||
|
index b630e4b..dcac1a0 100644
|
||
|
--- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
|
||
|
+++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
|
||
|
@@ -51,6 +51,8 @@
|
||
|
#define COMPRE_OUTPUT_METADATA_SIZE (sizeof(struct output_meta_data_st))
|
||
|
#define COMPRESSED_LR_VOL_MAX_STEPS 0x20002000
|
||
|
|
||
|
+#define MAX_AC3_PARAM_SIZE (18*2*sizeof(int))
|
||
|
+
|
||
|
const DECLARE_TLV_DB_LINEAR(compr_rx_vol_gain, 0,
|
||
|
COMPRESSED_LR_VOL_MAX_STEPS);
|
||
|
struct snd_msm {
|
||
|
@@ -973,19 +975,25 @@ static int msm_compr_ioctl(struct snd_pcm_substream *substream,
|
||
|
compr->codec = FORMAT_MPEG4_AAC;
|
||
|
break;
|
||
|
case SND_AUDIOCODEC_AC3: {
|
||
|
- char params_value[18*2*sizeof(int)];
|
||
|
+ char params_value[MAX_AC3_PARAM_SIZE];
|
||
|
int *params_value_data = (int *)params_value;
|
||
|
/* 36 is the max param length for ddp */
|
||
|
int i;
|
||
|
struct snd_dec_ddp *ddp =
|
||
|
&compr->info.codec_param.codec.options.ddp;
|
||
|
- int params_length = ddp->params_length*sizeof(int);
|
||
|
+ uint32_t params_length = ddp->params_length*sizeof(int);
|
||
|
+ if (params_length > MAX_AC3_PARAM_SIZE) {
|
||
|
+ /*MAX is 36*sizeof(int) this should not happen*/
|
||
|
+ pr_err("params_length(%d) is greater than %d",
|
||
|
+ params_length, MAX_AC3_PARAM_SIZE);
|
||
|
+ params_length = MAX_AC3_PARAM_SIZE;
|
||
|
+ }
|
||
|
pr_debug("SND_AUDIOCODEC_AC3\n");
|
||
|
compr->codec = FORMAT_AC3;
|
||
|
if (copy_from_user(params_value, (void *)ddp->params,
|
||
|
params_length))
|
||
|
- pr_err("%s: ERROR: copy ddp params value\n",
|
||
|
- __func__);
|
||
|
+ pr_err("%s: copy ddp params value, size=%d\n",
|
||
|
+ __func__, params_length);
|
||
|
pr_debug("params_length: %d\n", ddp->params_length);
|
||
|
for (i = 0; i < params_length; i++)
|
||
|
pr_debug("params_value[%d]: %x\n", i,
|
||
|
@@ -1004,19 +1012,25 @@ static int msm_compr_ioctl(struct snd_pcm_substream *substream,
|
||
|
break;
|
||
|
}
|
||
|
case SND_AUDIOCODEC_EAC3: {
|
||
|
- char params_value[18*2*sizeof(int)];
|
||
|
+ char params_value[MAX_AC3_PARAM_SIZE];
|
||
|
int *params_value_data = (int *)params_value;
|
||
|
/* 36 is the max param length for ddp */
|
||
|
int i;
|
||
|
struct snd_dec_ddp *ddp =
|
||
|
&compr->info.codec_param.codec.options.ddp;
|
||
|
- int params_length = ddp->params_length*sizeof(int);
|
||
|
+ uint32_t params_length = ddp->params_length*sizeof(int);
|
||
|
+ if (params_length > MAX_AC3_PARAM_SIZE) {
|
||
|
+ /*MAX is 36*sizeof(int) this should not happen*/
|
||
|
+ pr_err("params_length(%d) is greater than %d",
|
||
|
+ params_length, MAX_AC3_PARAM_SIZE);
|
||
|
+ params_length = MAX_AC3_PARAM_SIZE;
|
||
|
+ }
|
||
|
pr_debug("SND_AUDIOCODEC_EAC3\n");
|
||
|
compr->codec = FORMAT_EAC3;
|
||
|
if (copy_from_user(params_value, (void *)ddp->params,
|
||
|
params_length))
|
||
|
- pr_err("%s: ERROR: copy ddp params value\n",
|
||
|
- __func__);
|
||
|
+ pr_err("%s: copy ddp params value, size=%d\n",
|
||
|
+ __func__, params_length);
|
||
|
pr_debug("params_length: %d\n", ddp->params_length);
|
||
|
for (i = 0; i < ddp->params_length; i++)
|
||
|
pr_debug("params_value[%d]: %x\n", i,
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|