ASoC: msm: qdsp6v2: DAP: Fix buffer overflow (7eb824e8) · Commits · e / devices / android_kernel_xiaomi_markw

sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c

+20 −4

Original line number	Diff line number	Diff line
		/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		* only version 2 as published by the Free Software Foundation.
		@@ -1356,7 +1356,11 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
		int ret = 0, port_id = 0;
		int32_t data;
		struct dolby_param_data dolby_data = (struct dolby_param_data )arg;
		get_user(data, &dolby_data->data[0]);
		if (get_user(data, &dolby_data->data[0])) {
		pr_debug("%s error getting data\n", __func__);
		ret = -EFAULT;
		goto end;
		}

		pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n",
		__func__, dolby_data->param_id, dolby_data->be_id,
		@@ -1471,11 +1475,23 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
		goto end;
		}

		off = ds2_dap_params_offset[idx];
		if ((dolby_data->length <= 0) \|\|
		(dolby_data->length > TOTAL_LENGTH_DS2_PARAM - off)) {
		pr_err("%s: invalid length %d at idx %d\n",
		__func__, dolby_data->length, idx);
		rc = -EINVAL;
		goto end;
		}

		/* cache the parameters */
		ds2_dap_params[cdev].dap_params_modified[idx] += 1;
		for (j = 0; j < dolby_data->length; j++) {
		off = ds2_dap_params_offset[idx];
		get_user(data, &dolby_data->data[j]);
		if (get_user(data, &dolby_data->data[j])) {
		pr_debug("%s:error getting data\n", __func__);
		rc = -EFAULT;
		goto end;
		}
		ds2_dap_params[cdev].params_val[off + j] = data;
		pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n",
		__func__, off, data,