DivestOS/Patches/Linux_CVEs/CVE-2016-5859/3.10/0001.patch

From 302b5348ecbba8cf032a9ffaaa63222a2b285d89 Mon Sep 17 00:00:00 2001
From: Sharad Sangle <assangle@codeaurora.org>
Date: Tue, 13 Dec 2016 14:35:39 +0530
Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length

To avoid buffer overflow, validate input length used to
fetch visualizer data.

CRs-fixed: 1096672
Change-Id: I224bc2f20d94182713c565972fb0bd52cad6f3fd
Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
---
 sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
index bb0f890..5866e46 100644
--- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2014, 2016, The Linux Foundation. All rights reserved.
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 and
 * only version 2 as published by the Free Software Foundation.
@@ -18,6 +18,10 @@
 
 #include "msm-dolby-dap-config.h"
 
+#ifndef DOLBY_PARAM_VCNB_MAX_LENGTH
+#define DOLBY_PARAM_VCNB_MAX_LENGTH 40
+#endif
+
 /* dolby endp based parameters */
 struct dolby_dap_endp_params_s {
 	int device;
@@ -896,6 +900,11 @@ int msm_dolby_dap_param_visualizer_control_get(struct snd_kcontrol *kcontrol,
 	uint32_t param_payload_len =
 		DOLBY_PARAM_PAYLOAD_SIZE * sizeof(uint32_t);
 	int port_id, copp_idx, idx;
+	if (length > DOLBY_PARAM_VCNB_MAX_LENGTH || length <= 0) {
+		pr_err("%s Incorrect VCNB length", __func__);
+		ucontrol->value.integer.value[0] = 0;
+		return -EINVAL;
+	}
 	for (idx = 0; idx < AFE_MAX_PORTS; idx++) {
 		port_id = dolby_dap_params_states.port_id[idx];
 		copp_idx = dolby_dap_params_states.copp_idx[idx];
-- 
cgit v1.1