From 5e3dd3f21b44424405a009ba676df52322d9e7cf Mon Sep 17 00:00:00 2001
From: Sharad Sangle <assangle@codeaurora.org>
Date: Mon, 19 Dec 2016 17:00:25 +0530
Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length

To avoid buffer overflow, validate input length used to
set Dolby params.

Change-Id: I3f9d6040f118f63b60c20c83b0d8cae638f4a530
CRs-Fixed: 1095947
Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
---
 sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
index df32ede..8da75d7 100644
--- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
@@ -681,7 +681,7 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
 					   struct snd_ctl_elem_value *ucontrol)
 {
 	int rc = 0, port_id, copp_idx;
-	uint32_t idx, j;
+	uint32_t idx, j, current_offset;
 	uint32_t device = ucontrol->value.integer.value[0];
 	uint32_t param_id = ucontrol->value.integer.value[1];
 	uint32_t offset = ucontrol->value.integer.value[2];
@@ -758,6 +758,19 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
 		default: {
 			/* cache the parameters */
 			dolby_dap_params_modified[idx] += 1;
+			current_offset = dolby_dap_params_offset[idx] + offset;
+			if (current_offset >= TOTAL_LENGTH_DOLBY_PARAM) {
+				pr_err("%s: invalid offset %d at idx %d\n",
+				__func__, offset, idx);
+				return -EINVAL;
+			}
+			if ((length == 0) || (current_offset + length - 1
+				< current_offset) || (current_offset + length
+				> TOTAL_LENGTH_DOLBY_PARAM)) {
+				pr_err("%s: invalid length %d at idx %d\n",
+				__func__, length, idx);
+				return -EINVAL;
+			}
 			dolby_dap_params_length[idx] = length;
 			pr_debug("%s: param recvd deviceId=0x%x paramId=0x%x offset=%d length=%d\n",
 				__func__, device, param_id, offset, length);
-- 
cgit v1.1