mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-25 07:29:24 -05:00
65 lines
2.0 KiB
Diff
65 lines
2.0 KiB
Diff
From 56ff68b1f93eaf22e5e0284648fd862dc08c9236 Mon Sep 17 00:00:00 2001
|
|
From: Mohammad Johny Shaik <mjshai@codeaurora.org>
|
|
Date: Thu, 12 Dec 2013 14:26:42 +0530
|
|
Subject: Asoc:msm:Added Buffer overflow check
|
|
|
|
The overflow check is required to ensure that user space data
|
|
in kernel may not go beyond buffer boundary.
|
|
|
|
Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1
|
|
CRs-Fixed: 563086
|
|
Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
|
|
---
|
|
arch/arm/mach-msm/qdsp6v2/audio_utils.c | 6 ++++++
|
|
sound/soc/msm/qdsp6v2/q6asm.c | 3 +++
|
|
2 files changed, 9 insertions(+)
|
|
|
|
diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils.c b/arch/arm/mach-msm/qdsp6v2/audio_utils.c
|
|
index 2a245f8..b8e55f9 100644
|
|
--- a/arch/arm/mach-msm/qdsp6v2/audio_utils.c
|
|
+++ b/arch/arm/mach-msm/qdsp6v2/audio_utils.c
|
|
@@ -23,6 +23,7 @@
|
|
#include <asm/ioctls.h>
|
|
#include "audio_utils.h"
|
|
|
|
+#define FRAME_SIZE (1 + ((1536+sizeof(struct meta_out_dsp)) * 5))
|
|
static int audio_in_pause(struct q6audio_in *audio)
|
|
{
|
|
int rc;
|
|
@@ -258,6 +259,11 @@ long audio_in_ioctl(struct file *file,
|
|
rc = -EINVAL;
|
|
break;
|
|
}
|
|
+ if ((cfg.buffer_size > FRAME_SIZE) ||
|
|
+ (cfg.buffer_count != FRAME_NUM)) {
|
|
+ rc = -EINVAL;
|
|
+ break;
|
|
+ }
|
|
audio->str_cfg.buffer_size = cfg.buffer_size;
|
|
audio->str_cfg.buffer_count = cfg.buffer_count;
|
|
rc = q6asm_audio_client_buf_alloc(OUT, audio->ac,
|
|
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
|
|
index 82b92aa9..09c40d6 100644
|
|
--- a/sound/soc/msm/qdsp6v2/q6asm.c
|
|
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
|
|
@@ -55,6 +55,7 @@
|
|
#define READDONE_IDX_FLAGS 8
|
|
#define READDONE_IDX_NUMFRAMES 9
|
|
#define READDONE_IDX_SEQ_ID 10
|
|
+#define FRAME_NUM (8)
|
|
|
|
/* TODO, combine them together */
|
|
static DEFINE_MUTEX(session_lock);
|
|
@@ -608,6 +609,8 @@ int q6asm_audio_client_buf_alloc(unsigned int dir,
|
|
pr_debug("%s: buffer already allocated\n", __func__);
|
|
return 0;
|
|
}
|
|
+ if (bufcnt != FRAME_NUM)
|
|
+ goto fail;
|
|
mutex_lock(&ac->cmd_lock);
|
|
buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt),
|
|
GFP_KERNEL);
|
|
--
|
|
cgit v1.1
|
|
|