Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7a4d8574 authored by Kunlei Zhang's avatar Kunlei Zhang
Browse files

dsp: update size check for get VI param function 



In afe_get_cal_sp_th_vi_param functions, data size
should check with size of cal_type_header. The check
is not present which might lead to out of bounds access.

Update condition to ensure data_size is greater than
or equal to size of cal_type_header.

Change-Id: Ib2904f53243f4fb858131511812fd90de32b4656
Signed-off-by: default avatarKunlei Zhang <kunleiz@codeaurora.org>
parent 111a7ea8

dsp/q6afe.c

+5 −2
Original line number Diff line number Diff line
@@ -10860,6 +10860,7 @@ static int afe_get_cal_sp_th_vi_param(int32_t cal_type, size_t data_size, 


	if (cal_data == NULL ||

	    data_size > sizeof(*cal_data) ||

	    data_size < sizeof(cal_data->cal_hdr) ||

	    this_afe.cal_data[AFE_FB_SPKR_PROT_TH_VI_CAL] == NULL)

		return 0;
@@ -10888,7 +10889,8 @@ static int afe_get_cal_spv4_ex_vi_ftm_param(int32_t cal_type, size_t data_size, 
	pr_debug("%s: cal_type = %d\n", __func__, cal_type);

	if (this_afe.cal_data[AFE_FB_SPKR_PROT_V4_EX_VI_CAL] == NULL ||

	    cal_data == NULL ||

	    data_size != sizeof(*cal_data))

	    data_size > sizeof(*cal_data) ||

	    data_size < sizeof(cal_data->cal_hdr))

		goto done;



	mutex_lock(&this_afe.cal_data[AFE_FB_SPKR_PROT_V4_EX_VI_CAL]->lock);
@@ -10955,7 +10957,8 @@ static int afe_get_cal_sp_ex_vi_ftm_param(int32_t cal_type, size_t data_size, 
	pr_debug("%s: cal_type = %d\n", __func__, cal_type);

	if (this_afe.cal_data[AFE_FB_SPKR_PROT_EX_VI_CAL] == NULL ||

	    cal_data == NULL ||

	    data_size != sizeof(*cal_data))

	    data_size > sizeof(*cal_data) ||

	    data_size < sizeof(cal_data->cal_hdr))

		goto done;



	mutex_lock(&this_afe.cal_data[AFE_FB_SPKR_PROT_EX_VI_CAL]->lock);