Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 05:35:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
75099b9404
DivestOS/Patches/Linux_CVEs/CVE-2016-5867/0.patch

52 lines
2.0 KiB
Diff
Raw Blame History

From 065360da7147003aed8f59782b7652d565f56be5 Mon Sep 17 00:00:00 2001
From: Sharad Sangle <assangle@codeaurora.org>
Date: Mon, 19 Dec 2016 17:00:25 +0530
Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
To avoid buffer overflow, validate input length used to
set Dolby params.
Change-Id: I3f9d6040f118f63b60c20c83b0d8cae638f4a530
CRs-Fixed: 1095947
Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
---
sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
index 5866e46..d270b3d 100644
--- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
@@ -681,7 +681,7 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
int rc = 0, port_id, copp_idx;
- uint32_t idx, j;
+ uint32_t idx, j, current_offset;
uint32_t device = ucontrol->value.integer.value[0];
uint32_t param_id = ucontrol->value.integer.value[1];
uint32_t offset = ucontrol->value.integer.value[2];
@@ -758,6 +758,19 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
default: {
/* cache the parameters */
dolby_dap_params_modified[idx] += 1;
+ current_offset = dolby_dap_params_offset[idx] + offset;
+ if (current_offset >= TOTAL_LENGTH_DOLBY_PARAM) {
+ pr_err("%s: invalid offset %d at idx %d\n",
+ __func__, offset, idx);
+ return -EINVAL;
+ }
+ if ((0 == length) || (current_offset + length - 1
+ < current_offset) || (current_offset + length
+ > TOTAL_LENGTH_DOLBY_PARAM)) {
+ pr_err("%s: invalid length %d at idx %d\n",
+ __func__, length, idx);
+ return -EINVAL;
+ }
dolby_dap_params_length[idx] = length;
pr_debug("%s: param recvd deviceId=0x%x paramId=0x%x offset=%d length=%d\n",
__func__, device, param_id, offset, length);
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink