DivestOS/Patches/Linux_CVEs/CVE-2014-9904/ANY/0.patch

From 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 16 Jul 2014 09:37:04 +0300
Subject: ALSA: compress: fix an integer overflow check

I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/compress_offload.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 7403f34..89028fa 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
 {
 	/* first let's check the buffer parameter's */
 	if (params->buffer.fragment_size == 0 ||
-			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
 		return -EINVAL;
 
 	/* now codec parameters */
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 Mon Sep 17 00:00:00 2001`
			`From: Dan Carpenter <dan.carpenter@oracle.com>`
			`Date: Wed, 16 Jul 2014 09:37:04 +0300`
			`Subject: ALSA: compress: fix an integer overflow check`

			`I previously added an integer overflow check here but looking at it now,`
			`it's still buggy.`

			`The bug happens in snd_compr_allocate_buffer(). We multiply`
			`".fragments" and ".fragment_size" and that doesn't overflow but then we`
			`save it in an unsigned int so it truncates the high bits away and we`
			`allocate a smaller than expected size.`

			`Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')`
			`Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>`
			`Signed-off-by: Takashi Iwai <tiwai@suse.de>`
			`---`
			`sound/core/compress_offload.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c`
			`index 7403f34..89028fa 100644`
			`--- a/sound/core/compress_offload.c`
			`+++ b/sound/core/compress_offload.c`
			`@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)`
			`{`
			`/* first let's check the buffer parameter's */`
			`if (params->buffer.fragment_size == 0 \|\|`
			`- params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)`
			`+ params->buffer.fragments > INT_MAX / params->buffer.fragment_size)`
			`return -EINVAL;`

			`/* now codec parameters */`
			`--`
			`cgit v1.1`