Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b35cc822 authored by Dan Carpenter's avatar Dan Carpenter Committed by Takashi Iwai
Browse files

ALSA: compress_core: integer overflow in snd_compr_allocate_buffer() 



These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 1dac6695

sound/core/compress_offload.c

+4 −0
Original line number Diff line number Diff line
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, 
	unsigned int buffer_size;

	void *buffer;



	if (params->buffer.fragment_size == 0 ||

	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)

		return -EINVAL;



	buffer_size = params->buffer.fragment_size * params->buffer.fragments;

	if (stream->ops->copy) {

		buffer = NULL;