From 25ab82f5d7d8d8d3b4c8eaaa02944dd5a81be7c3 Mon Sep 17 00:00:00 2001
From: Karthik Reddy Katta <a_katta@codeaurora.org>
Date: Wed, 28 Dec 2016 11:24:33 +0530
Subject: drivers: soc: qcom: Add overflow check for sound model size

Overflow check is added for sound model size to prevent
heap overflow while allocating memory for sound model data.

CRs-Fixed: 1100682
Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
---
 sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
index d5b675f..a4daf91d 100644
--- a/sound/soc/msm/msm-cpe-lsm.c
+++ b/sound/soc/msm/msm-cpe-lsm.c
@@ -1913,6 +1913,13 @@ static int msm_cpe_lsm_reg_model(struct snd_pcm_substream *substream,
 
 	lsm_ops->lsm_get_snd_model_offset(cpe->core_handle,
 			session, &offset);
+	/* Check if 'p_info->param_size + offset' crosses U32_MAX. */
+	if (p_info->param_size > U32_MAX - offset) {
+		dev_err(rtd->dev,
+			"%s: Invalid param_size %d\n",
+			__func__, p_info->param_size);
+		return -EINVAL;
+	}
 	session->snd_model_size = p_info->param_size + offset;
 
 	session->snd_model_data = vzalloc(session->snd_model_size);
-- 
cgit v1.1