ASoC: msm: qdsp6v2: fix possible integer overflow (7a40e7da) · Commits · e / devices / android_kernel_sony_msm8994

sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c

+21 −8

Original line number	Diff line number	Diff line
		@@ -1022,12 +1022,19 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
		int i;
		struct snd_dec_ddp *ddp =
		&compr->info.codec_param.codec.options.ddp;
		uint32_t params_length = ddp->params_length*sizeof(int);
		uint32_t params_length = 0;
		/* check integer overflow */
		if (ddp->params_length > UINT_MAX/sizeof(int)) {
		pr_err("%s: Integer overflow ddp->params_length %d\n",
		__func__, ddp->params_length);
		return -EINVAL;
		}
		params_length = ddp->params_length*sizeof(int);
		if (params_length > MAX_AC3_PARAM_SIZE) {
		/MAX is 36sizeof(int) this should not happen*/
		pr_err("params_length(%d) is greater than %zd",
		params_length, MAX_AC3_PARAM_SIZE);
		params_length = MAX_AC3_PARAM_SIZE;
		pr_err("%s: params_length(%d) is greater than %zd\n",
		__func__, params_length, MAX_AC3_PARAM_SIZE);
		return -EINVAL;
		}
		pr_debug("SND_AUDIOCODEC_AC3\n");
		compr->codec = FORMAT_AC3;
		@@ -1059,12 +1066,18 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
		int i;
		struct snd_dec_ddp *ddp =
		&compr->info.codec_param.codec.options.ddp;
		uint32_t params_length = ddp->params_length*sizeof(int);
		uint32_t params_length = 0;
		/* check integer overflow */
		if (ddp->params_length > UINT_MAX/sizeof(int)) {
		pr_err("%s: Integer overflow ddp->params_length %d\n",
		__func__, ddp->params_length);
		return -EINVAL;
		}
		if (params_length > MAX_AC3_PARAM_SIZE) {
		/MAX is 36sizeof(int) this should not happen*/
		pr_err("params_length(%d) is greater than %zd",
		params_length, MAX_AC3_PARAM_SIZE);
		params_length = MAX_AC3_PARAM_SIZE;
		pr_err("%s: params_length(%d) is greater than %d\n",
		__func__, params_length, MAX_AC3_PARAM_SIZE);
		return -EINVAL;
		}
		pr_debug("SND_AUDIOCODEC_EAC3\n");
		compr->codec = FORMAT_EAC3;