2017-10-29 22:14:37 -04:00
|
|
|
From 81ce573830e9d5531531b3ec778c58e6b9167bcd Mon Sep 17 00:00:00 2001
|
2017-10-29 01:48:53 -04:00
|
|
|
From: Dan Carpenter <dan.carpenter@oracle.com>
|
|
|
|
|
Date: Wed, 5 Sep 2012 15:32:18 +0300
|
|
|
|
|
Subject: [PATCH] ALSA: compress_core: integer overflow in
|
|
|
|
|
snd_compr_allocate_buffer()
|
|
|
|
|
|
|
|
|
|
These are 32 bit values that come from the user, we need to check for
|
|
|
|
|
integer overflows or we could end up allocating a smaller buffer than
|
|
|
|
|
expected.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
|
|
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
---
|
|
|
|
|
sound/core/compress_offload.c | 4 ++++
|
|
|
|
|
1 file changed, 4 insertions(+)
|
|
|
|
|
|
|
|
|
|
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
|
|
|
|
|
index eb60cb8dbb8a6..68fe02c7400a2 100644
|
|
|
|
|
--- a/sound/core/compress_offload.c
|
|
|
|
|
+++ b/sound/core/compress_offload.c
|
|
|
|
|
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
|
|
|
|
|
unsigned int buffer_size;
|
|
|
|
|
void *buffer;
|
|
|
|
|
|
|
|
|
|
+ if (params->buffer.fragment_size == 0 ||
|
|
|
|
|
+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
|
|
|
|
|
+ return -EINVAL;
|
|
|
|
|
+
|
|
|
|
|
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
|
|
|
|
|
if (stream->ops->copy) {
|
|
|
|
|
buffer = NULL;
|
