evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "ASoC: soc: prevent risk of buffer overflow"

Browse source
This commit is contained in:
Linux Build Service Account 2016-11-14 21:54:00 -08:00 committed by Gerrit - the friendly Code Review server
commit 3d17c56b28
1 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
sound/soc/msm/qdsp6v2/q6asm.c
View file

@ -5848,7 +5848,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
struct asm_buffer_node *buffer_node = NULL;
int rc = 0;
int i = 0;
int cmd_size = 0;
uint32_t cmd_size = 0;
uint32_t bufcnt_t;
uint32_t bufsz_t;
@ -5870,10 +5870,25 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
bufsz_t = PAGE_ALIGN(bufsz_t);
}
if (bufcnt_t > (UINT_MAX
- sizeof(struct avs_cmd_shared_mem_map_regions))
/ sizeof(struct avs_shared_map_region_payload)) {
pr_err("%s: Unsigned Integer Overflow. bufcnt_t = %u\n",
__func__, bufcnt_t);
return -EINVAL;
}
cmd_size = sizeof(struct avs_cmd_shared_mem_map_regions)
+ (sizeof(struct avs_shared_map_region_payload)
* bufcnt_t);
if (bufcnt > (UINT_MAX / sizeof(struct asm_buffer_node))) {
pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
__func__, bufcnt);
return -EINVAL;
}
buffer_node = kzalloc(sizeof(struct asm_buffer_node) * bufcnt,
GFP_KERNEL);
if (!buffer_node) {