Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit daa76527 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "ASoC: soc: prevent risk of buffer overflow"

parents 4fa286af 493faa43

sound/soc/msm/qdsp6v2/q6asm.c

+16 −1
Original line number Diff line number Diff line
@@ -5483,7 +5483,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir, 
	struct asm_buffer_node *buffer_node = NULL;

	int	rc = 0;

	int    i = 0;

	int	cmd_size = 0;

	uint32_t cmd_size = 0;

	uint32_t bufcnt_t;

	uint32_t bufsz_t;
@@ -5505,10 +5505,25 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir, 
		bufsz_t = PAGE_ALIGN(bufsz_t);

	}



	if (bufcnt_t > (UINT_MAX

			- sizeof(struct avs_cmd_shared_mem_map_regions))

			/ sizeof(struct avs_shared_map_region_payload)) {

		pr_err("%s: Unsigned Integer Overflow. bufcnt_t = %u\n",

				__func__, bufcnt_t);

		return -EINVAL;

	}



	cmd_size = sizeof(struct avs_cmd_shared_mem_map_regions)

			+ (sizeof(struct avs_shared_map_region_payload)

							* bufcnt_t);





	if (bufcnt > (UINT_MAX / sizeof(struct asm_buffer_node))) {

		pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",

				__func__, bufcnt);

		return -EINVAL;

	}



	buffer_node = kzalloc(sizeof(struct asm_buffer_node) * bufcnt,

				GFP_KERNEL);

	if (!buffer_node) {