Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 19f84fea authored by Soumya Managoli's avatar Soumya Managoli Committed by ssizon
Browse files

dsp: adm: Fix to avoid memory overread in adm callback 



For ADM_CMDRSP_GET_PP_PARAMS_V5 cmd response,
the check for data payload_size is incorrect.
Modify the check condition to make sure there
is enough data to copy, size is contained in
payload[3].

Change-Id: I2f155ad8b302e89131ee85cfc72e4009dda617d3
Signed-off-by: default avatarSoumya Managoli <smanag@codeaurora.org>
parent ccb5e431

techpack/audio/dsp/q6adm.c

+2 −1
Original line number Original line Diff line number Diff line
@@ -1762,7 +1762,8 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) 
			idx = ADM_GET_PARAMETER_LENGTH * copp_idx;

			idx = ADM_GET_PARAMETER_LENGTH * copp_idx;

			if ((payload[0] == 0) && (data->payload_size >

			if ((payload[0] == 0) && (data->payload_size >

				(4 * sizeof(*payload))) &&

				(4 * sizeof(*payload))) &&

				(data->payload_size - 4 >=

				(data->payload_size -

				(4 * sizeof(*payload)) >=

				payload[3]) &&

				payload[3]) &&

				(ARRAY_SIZE(adm_get_parameters) >

				(ARRAY_SIZE(adm_get_parameters) >

				idx) &&

				idx) &&