2017-11-07 17:32:46 -05:00
|
|
|
From 9bcf048a7d1a8a0511feb39d6d3111044e6278ec Mon Sep 17 00:00:00 2001
|
2017-10-29 01:48:53 -04:00
|
|
|
From: Karthik Reddy Katta <a_katta@codeaurora.org>
|
|
|
|
Date: Wed, 28 Dec 2016 11:24:33 +0530
|
|
|
|
Subject: drivers: soc: qcom: Add overflow check for sound model size
|
|
|
|
|
|
|
|
Overflow check is added for sound model size to prevent
|
|
|
|
heap overflow while allocating memory for sound model data.
|
|
|
|
|
|
|
|
CRs-Fixed: 1100682
|
|
|
|
Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
|
|
|
|
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
|
|
|
|
---
|
|
|
|
sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
|
|
|
|
1 file changed, 7 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
|
2017-11-07 17:32:46 -05:00
|
|
|
index 6483b93..0c10829 100644
|
2017-10-29 01:48:53 -04:00
|
|
|
--- a/sound/soc/msm/msm-cpe-lsm.c
|
|
|
|
+++ b/sound/soc/msm/msm-cpe-lsm.c
|
2017-11-07 17:32:46 -05:00
|
|
|
@@ -1874,6 +1874,13 @@ static int msm_cpe_lsm_reg_model(struct snd_pcm_substream *substream,
|
2017-10-29 01:48:53 -04:00
|
|
|
|
|
|
|
lsm_ops->lsm_get_snd_model_offset(cpe->core_handle,
|
|
|
|
session, &offset);
|
|
|
|
+ /* Check if 'p_info->param_size + offset' crosses U32_MAX. */
|
|
|
|
+ if (p_info->param_size > U32_MAX - offset) {
|
|
|
|
+ dev_err(rtd->dev,
|
|
|
|
+ "%s: Invalid param_size %d\n",
|
|
|
|
+ __func__, p_info->param_size);
|
|
|
|
+ return -EINVAL;
|
|
|
|
+ }
|
|
|
|
session->snd_model_size = p_info->param_size + offset;
|
|
|
|
|
|
|
|
session->snd_model_data = vzalloc(session->snd_model_size);
|
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|