Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad40ee7b authored by Xiaojun Sang's avatar Xiaojun Sang
Browse files

ASoC: msm: check payload size before memory allocation 



Buffer from mixer ctl or ADSP is composed of payload size and
actual payload. On a 32 bit platform, we could have an overflow
if payload size is below UINT_MAX while payload size + sizeof(struct)
is over UINT_MAX. Allocated memory size would be less than expected.
Check payload size against limit before memory allocation.

Change-Id: I0bf19ca7b8c93083177a21ad726122dc20f45551
Signed-off-by: default avatarXiaojun Sang <xsang@codeaurora.org>
parent 502257f3

sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c

+2 −3
Original line number Diff line number Diff line
@@ -3748,9 +3748,8 @@ static int msm_compr_adsp_stream_cmd_put(struct snd_kcontrol *kcontrol, 
		goto done;

	}





	if ((sizeof(struct msm_adsp_event_data) + event_data->payload_len) >=

					sizeof(ucontrol->value.bytes.data)) {

	if (event_data->payload_len > sizeof(ucontrol->value.bytes.data)

			 - sizeof(struct msm_adsp_event_data)) {

		pr_err("%s param length=%d  exceeds limit",

			__func__, event_data->payload_len);

		ret = -EINVAL;

sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c

+2 −2
Original line number Diff line number Diff line
@@ -1165,8 +1165,8 @@ static int msm_pcm_adsp_stream_cmd_put(struct snd_kcontrol *kcontrol, 
		goto done;

	}



	if ((sizeof(struct msm_adsp_event_data) + event_data->payload_len) >=

					sizeof(ucontrol->value.bytes.data)) {

	if (event_data->payload_len > sizeof(ucontrol->value.bytes.data)

			- sizeof(struct msm_adsp_event_data)) {

		pr_err("%s param length=%d  exceeds limit",

			__func__, event_data->payload_len);

		ret = -EINVAL;

sound/soc/msm/qdsp6v2/msm-qti-pp-config.c

+3 −2
Original line number Diff line number Diff line
@@ -982,8 +982,9 @@ int msm_adsp_inform_mixer_ctl(struct snd_soc_pcm_runtime *rtd, 


	event_data = (struct msm_adsp_event_data *)payload;

	kctl->info(kctl, &kctl_info);

	if (sizeof(struct msm_adsp_event_data)

		+ event_data->payload_len > kctl_info.count) {



	if (event_data->payload_len >

		kctl_info.count - sizeof(struct msm_adsp_event_data)) {

		pr_err("%s: payload length exceeds limit of %u bytes.\n",

			__func__, kctl_info.count);

		ret = -EINVAL;

sound/soc/msm/qdsp6v2/msm-transcode-loopback-q6-v2.c

+2 −3
Original line number Diff line number Diff line
@@ -692,9 +692,8 @@ static int msm_transcode_stream_cmd_put(struct snd_kcontrol *kcontrol, 
		goto done;

	}





	if ((sizeof(struct msm_adsp_event_data) + event_data->payload_len) >=

					sizeof(ucontrol->value.bytes.data)) {

	if (event_data->payload_len > sizeof(ucontrol->value.bytes.data)

		- sizeof(struct msm_adsp_event_data)) {

		pr_err("%s param length=%d  exceeds limit",

			 __func__, event_data->payload_len);

		ret = -EINVAL;