Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1bf72834 authored by Ramireddy KrishnaKanth Reddy's avatar Ramireddy KrishnaKanth Reddy Committed by Abinath S
Browse files

dsp: q6voice: Adds checks for an integer overflow 



there is no check for cvs_voc_pkt[2],when recieves
0xffffffff from ADSP which results in an integer overflow
Fix is to address this.

Change-Id: Ie935dd8823981ec260d77f5117f4ef0b0fc08f60
Signed-off-by: default avatarRamireddy KrishnaKanth Reddy <quic_ramikris@quicinc.com>
parent d8a1e717

dsp/q6voice.c

+9 −3
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved.

 */

#include <linux/slab.h>

#include <linux/kthread.h>
@@ -7917,7 +7918,7 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) 
			 VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_READY) {

		int ret = 0;

		u16 cvs_handle;

		uint32_t *cvs_voc_pkt;

		uint32_t *cvs_voc_pkt, tot_buf_sz;

		struct cvs_enc_buffer_consumed_cmd send_enc_buf_consumed_cmd;

		void *apr_cvs;
@@ -7946,9 +7947,14 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) 
			VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_CONSUMED;



		cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data;



		if (__builtin_add_overflow(cvs_voc_pkt[2], 3 * sizeof(uint32_t), &tot_buf_sz)) {

			 pr_err("%s: integer overflow detected\n", __func__);

			 return -EINVAL;

		}



		if (cvs_voc_pkt != NULL &&  common.mvs_info.ul_cb != NULL) {

			if (v->shmem_info.sh_buf.buf[1].size <

			    ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) {

			if (v->shmem_info.sh_buf.buf[1].size < tot_buf_sz) {

				pr_err("%s: invalid voc pkt size\n", __func__);

				return -EINVAL;

			}