From 66b26c141c4ecaa3c4e0d4dba53a4421550a329c Mon Sep 17 00:00:00 2001 From: Soumya Managoli Date: Wed, 16 Oct 2019 16:48:20 +0530 Subject: [PATCH] asoc: msm-routing: Fix array out of bounds issue It seems there is out of bound access chances for lsm_app_type_cfg array within msm_routing_get_lsm_app_type_cfg_control() callback. Added case check to return invalid value if user tries to exceed maximum allocated size of array to avoid it. Change-Id: Ied86e6c9a957255c55bb126a09741fbde429be32 Signed-off-by: Soumya Managoli --- sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c index 965de5ca4f66..ed3ee03553b3 100644 --- a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c +++ b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c @@ -15269,16 +15269,18 @@ static int msm_routing_put_lsm_app_type_cfg_control( struct snd_ctl_elem_value *ucontrol) { int i = 0, j; - int num_app_types = ucontrol->value.integer.value[i++]; + int num_app_types; - memset(lsm_app_type_cfg, 0, MAX_APP_TYPES* - sizeof(struct msm_pcm_routing_app_type_data)); - if (num_app_types > MAX_APP_TYPES) { + if (ucontrol->value.integer.value[0] > MAX_APP_TYPES) { pr_err("%s: number of app types exceed the max supported\n", __func__); return -EINVAL; } + num_app_types = ucontrol->value.integer.value[i++]; + memset(lsm_app_type_cfg, 0, MAX_APP_TYPES* + sizeof(struct msm_pcm_routing_app_type_data)); + for (j = 0; j < num_app_types; j++) { lsm_app_type_cfg[j].app_type = ucontrol->value.integer.value[i++];