mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
From 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 Mon Sep 17 00:00:00 2001
|
|
From: Dan Carpenter <dan.carpenter@oracle.com>
|
|
Date: Wed, 16 Jul 2014 09:37:04 +0300
|
|
Subject: ALSA: compress: fix an integer overflow check
|
|
|
|
I previously added an integer overflow check here but looking at it now,
|
|
it's still buggy.
|
|
|
|
The bug happens in snd_compr_allocate_buffer(). We multiply
|
|
".fragments" and ".fragment_size" and that doesn't overflow but then we
|
|
save it in an unsigned int so it truncates the high bits away and we
|
|
allocate a smaller than expected size.
|
|
|
|
Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
|
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
---
|
|
sound/core/compress_offload.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
|
|
index 7403f34..89028fa 100644
|
|
--- a/sound/core/compress_offload.c
|
|
+++ b/sound/core/compress_offload.c
|
|
@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
|
|
{
|
|
/* first let's check the buffer parameter's */
|
|
if (params->buffer.fragment_size == 0 ||
|
|
- params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
|
|
+ params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
|
|
return -EINVAL;
|
|
|
|
/* now codec parameters */
|
|
--
|
|
cgit v1.1
|
|
|