dsp: afe: check for payload size before payload access (95376088) · Commits · e / devices / android_kernel_fairphone_FP3

dsp/q6afe.c

+15 −4

Original line number	Diff line number	Diff line
		@@ -371,14 +371,20 @@ static int32_t afe_callback(struct apr_client_data data, void priv)
		return -EINVAL;
		}

		if (payload[2] == AFE_PARAM_ID_DEV_TIMING_STATS) {
		av_dev_drift_afe_cb_handler(data->payload,
		data->payload_size);
		} else {
		if (rtac_make_afe_callback(data->payload,
		data->payload_size))
		return 0;

		if (data->payload_size < 3 * sizeof(uint32_t)) {
		pr_err("%s: Error: size %d is less than expected\n",
		__func__, data->payload_size);
		return -EINVAL;
		}

		if (payload[2] == AFE_PARAM_ID_DEV_TIMING_STATS) {
		av_dev_drift_afe_cb_handler(data->payload,
		data->payload_size);
		} else {
		if (sp_make_afe_callback(data->payload,
		data->payload_size))
		return -EINVAL;
		@@ -393,6 +399,11 @@ static int32_t afe_callback(struct apr_client_data data, void priv)

		payload = data->payload;
		if (data->opcode == APR_BASIC_RSP_RESULT) {
		if (data->payload_size < (2 * sizeof(uint32_t))) {
		pr_err("%s: Error: size %d is less than expected\n",
		__func__, data->payload_size);
		return -EINVAL;
		}
		pr_debug("%s:opcode = 0x%x cmd = 0x%x status = 0x%x token=%d\n",
		__func__, data->opcode,
		payload[0], payload[1], data->token);