From 920b58ced94bfba727cc09a786449f37280b8e03 Mon Sep 17 00:00:00 2001
From: Vatsal Bucha <vbucha@codeaurora.org>
Date: Tue, 5 Mar 2019 16:00:21 +0530
Subject: [PATCH] dsp: q6voice: Check size of shared memory buffer before
 access

Check buffer size in qdsp_cvs_callback before access in
ul_pkt.

Change-Id: Ic19994b46086709231656ec747d2df988b7a512f
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
---
 sound/soc/msm/qdsp6v2/q6voice.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sound/soc/msm/qdsp6v2/q6voice.c b/sound/soc/msm/qdsp6v2/q6voice.c
index 69189140c936..3193dd0de140 100644
--- a/sound/soc/msm/qdsp6v2/q6voice.c
+++ b/sound/soc/msm/qdsp6v2/q6voice.c
@@ -6782,6 +6782,11 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
 
 		cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data;
 		if (cvs_voc_pkt != NULL &&  common.mvs_info.ul_cb != NULL) {
+			if (v->shmem_info.sh_buf.buf[1].size <
+			    ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) {
+				pr_err("%s: invalid voc pkt size\n", __func__);
+				return -EINVAL;
+			}
 			/* cvs_voc_pkt[0] contains tx timestamp */
 			common.mvs_info.ul_cb((uint8_t *)&cvs_voc_pkt[3],
 					      cvs_voc_pkt[2],