evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ALSA: pcm: check for integer overflow during multiplication

Browse source 
Channel info data structure is parsed from userspace and if
user does not set the no. of channels correctly, it could lead
to security vulnerability if we don't check for overflow when the
no. of channels is multiplied with pcm bit width. Add a condition
to check for overflow during multiplication.

CRs-fixed: 537818
Change-Id: Ib9631b6e45d77b39be2c27343d4aee3e9244d8cc
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
This commit is contained in:
Phani Kumar Uppalapati 2013-09-26 12:27:56 -07:00 committed by David Keitel
parent f928605b0e
commit 6ba6d2e983
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
sound/core/pcm_lib.c
View file

@ -1792,6 +1792,11 @@ static int snd_pcm_lib_ioctl_channel_info(struct snd_pcm_substream *substream,
switch (runtime->access) {
case SNDRV_PCM_ACCESS_MMAP_INTERLEAVED:
case SNDRV_PCM_ACCESS_RW_INTERLEAVED:
if ((UINT_MAX/width) < info->channel) {
snd_printd("%s: integer overflow while multiply\n",
__func__);
return -EINVAL;
}
info->first = info->channel * width;
info->step = runtime->channels * width;
break;
@ -1799,6 +1804,12 @@ static int snd_pcm_lib_ioctl_channel_info(struct snd_pcm_substream *substream,
case SNDRV_PCM_ACCESS_RW_NONINTERLEAVED:
{
size_t size = runtime->dma_bytes / runtime->channels;
if ((size > 0) && ((UINT_MAX/(size * 8)) < info->channel)) {
snd_printd("%s: integer overflow while multiply\n",
__func__);
return -EINVAL;
}
info->first = info->channel * size * 8;
info->step = width;
break;