Merge "ASoC: msm: Add Buffer overflow check" · e8afdbad3e - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

Merge "ASoC: msm: Add Buffer overflow check"

This commit is contained in:

Linux Build Service Account

2016-09-12 14:42:28 -07:00

• committed by

Gerrit - the friendly Code Review server

parent a1bf0348c4 287879c3be

commit e8afdbad3e

3 changed files with 17 additions and 4 deletions

									
										15

drivers/misc/qcom/qdsp6v2/audio_utils.c
									
										View file
										
				@ -1,4 +1,4 @@

				/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.

				/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.

				 *

				 * This program is free software; you can redistribute it and/or modify

				 * it under the terms of the GNU General Public License version 2 and

				@ -24,6 +24,15 @@

				#include <asm/ioctls.h>

				#include "audio_utils.h"

				/*

				 * Define maximum buffer size. Below values are chosen considering the higher

				 * values used among all native drivers.

				 */

				#define MAX_FRAME_SIZE	1536

				#define MAX_FRAMES	5

				#define META_SIZE	(sizeof(struct meta_out_dsp))

				#define MAX_BUFFER_SIZE	(1 + ((MAX_FRAME_SIZE + META_SIZE) * MAX_FRAMES))

				static int audio_in_pause(struct q6audio_in  *audio)

				{

					int rc;

				@ -329,6 +338,10 @@ long audio_in_ioctl(struct file *file,

							rc = -EINVAL;

							break;

						}

						if (cfg.buffer_size > MAX_BUFFER_SIZE) {

							rc = -EINVAL;

							break;

						}

						audio->str_cfg.buffer_size = cfg.buffer_size;

						audio->str_cfg.buffer_count = cfg.buffer_count;

						if (audio->opened) {

									
										2

include/sound/q6asm-v2.h
									
										View file
										
				@ -226,7 +226,7 @@ struct audio_client *q6asm_get_audio_client(int session_id);

				int q6asm_audio_client_buf_alloc(unsigned int dir/* 1:Out,0:In */,

								struct audio_client *ac,

								unsigned int bufsz,

								unsigned int bufcnt);

								uint32_t bufcnt);

				int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir

								/* 1:Out,0:In */,

								struct audio_client *ac,

									
										4

sound/soc/msm/qdsp6v2/q6asm.c
									
										View file
										
				@ -1195,7 +1195,7 @@ err:

				int q6asm_audio_client_buf_alloc(unsigned int dir,

							struct audio_client *ac,

							unsigned int bufsz,

							unsigned int bufcnt)

							uint32_t bufcnt)

				{

					int cnt = 0;

					int rc = 0;

				@ -1222,7 +1222,7 @@ int q6asm_audio_client_buf_alloc(unsigned int dir,

							return 0;

						}

						mutex_lock(&ac->cmd_lock);

						if (bufcnt > (LONG_MAX/sizeof(struct audio_buffer))) {

						if (bufcnt > (U32_MAX/sizeof(struct audio_buffer))) {

							pr_err("%s: Buffer size overflows", __func__);

							mutex_unlock(&ac->cmd_lock);

							goto fail;