From e13ebd727d161db7003be6756e61283dce85fa3b Mon Sep 17 00:00:00 2001 From: Bhalchandra Gajare Date: Tue, 10 Feb 2015 14:44:36 -0800 Subject: ASoC: q6lsm: Add check for integer overflow During sound model registration, the total memory size needed by the sound model data is the sum of sound model length, number of zero padding bytes and the calibration size. It is possible this sum can result into integer overflow causing difficult to debug issues. Add check for integer overflow to avoid such possible issues. CRs-fixed: 792367 Change-Id: I9f451aa308214a4eac42b82e2abf1375c858ff30 Signed-off-by: Bhalchandra Gajare --- sound/soc/msm/qdsp6v2/q6lsm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c index db29115..67be542 100644 --- a/sound/soc/msm/qdsp6v2/q6lsm.c +++ b/sound/soc/msm/qdsp6v2/q6lsm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2014, Linux Foundation. All rights reserved. + * Copyright (c) 2013-2015, Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1055,6 +1055,15 @@ int q6lsm_snd_model_buf_alloc(struct lsm_client *client, size_t len) client->sound_model.size = len; pad_zero = (LSM_ALIGN_BOUNDARY - (len % LSM_ALIGN_BOUNDARY)); + if ((len > SIZE_MAX - pad_zero) || + (len + pad_zero > + SIZE_MAX - cal_block->cal_data.size)) { + pr_err("%s: invalid allocation size, len = %zd, pad_zero =%zd, cal_size = %zd\n", + __func__, len, pad_zero, + cal_block->cal_data.size); + rc = -EINVAL; + goto fail; + } total_mem = PAGE_ALIGN(pad_zero + len + cal_block->cal_data.size); -- cgit v1.1