From 2c04c0dab66013b7dfbe4d5a523c2c1d6b5b11d6 Mon Sep 17 00:00:00 2001
From: Weiyin Jiang <wjiang@codeaurora.org>
Date: Tue, 26 Apr 2016 14:35:38 +0800
Subject: ASoC: msm: audio-effects: misc fixes in h/w accelerated effect

Adding memory copy size check and integer overflow check in h/w
accelerated effect driver.

Change-Id: I17d4cc0a38770f0c5067fa8047cd63e7bf085e48
CRs-Fixed: 1006609
Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
---
 drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 8 +++++---
 sound/soc/msm/qdsp6v2/q6asm.c                   | 6 ++++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
index 3ba20ca..3a88344 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
@@ -163,7 +163,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
 
 		pr_debug("%s: dec buf size: %d, num_buf: %d, enc buf size: %d, num_buf: %d\n",
 			 __func__, effects->config.output.buf_size,
-			 effects->config.output.buf_size,
+			 effects->config.output.num_buf,
 			 effects->config.input.buf_size,
 			 effects->config.input.num_buf);
 		rc = q6asm_audio_client_buf_alloc_contiguous(IN, effects->ac,
@@ -251,7 +251,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
 
 		bufptr = q6asm_is_cpu_buf_avail(IN, effects->ac, &size, &idx);
 		if (bufptr) {
-			if (copy_from_user(bufptr, (void *)arg,
+			if ((effects->config.buf_cfg.output_len > size) ||
+				copy_from_user(bufptr, (void *)arg,
 					effects->config.buf_cfg.output_len)) {
 				rc = -EFAULT;
 				goto ioctl_fail;
@@ -307,7 +308,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
 				rc = -EFAULT;
 				goto ioctl_fail;
 			}
-			if (copy_to_user((void *)arg, bufptr,
+			if ((effects->config.buf_cfg.input_len > size) ||
+				copy_to_user((void *)arg, bufptr,
 					  effects->config.buf_cfg.input_len)) {
 				rc = -EFAULT;
 				goto ioctl_fail;
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
index df310b8..d143eb0 100644
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@@ -1300,6 +1300,12 @@ int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir,
 
 	ac->port[dir].buf = buf;
 
+	/* check for integer overflow */
+	if ((bufcnt > 0) && ((INT_MAX / bufcnt) < bufsz)) {
+		pr_err("%s: integer overflow\n", __func__);
+		mutex_unlock(&ac->cmd_lock);
+		goto fail;
+	}
 	bytes_to_alloc = bufsz * bufcnt;
 
 	/* The size to allocate should be multiple of 4K bytes */
-- 
cgit v1.1