diff options
author | Akhila musunuri <makhila@codeaurora.org> | 2014-07-16 09:37:04 +0300 |
---|---|---|
committer | Akhila musunuri <makhila@codeaurora.org> | 2016-07-19 16:12:38 +0530 |
commit | 9ea08eae1252c50831e85f8083eae2aa64ddf3e4 (patch) | |
tree | 2f6582ce547e05a008899bd651b7dec5c32f5c42 | |
parent | 7c6006ed554725719b134c8476a565acb7587344 (diff) |
ALSA: compress: fix an integer overflow checkandroid-lego-6.0.1_r0.6
I previously added an integer overflow check here but looking at it now,
it's still buggy.
The bug happens in snd_compr_allocate_buffer(). We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.
Change-Id: Ifaeca85636bee6d5587009170d0539b31fe9b340
Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Git-commit: 6217e5ede23285ddfee10d2e4ba0cc2d4c046205
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
-rw-r--r-- | sound/core/compress_offload.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 627078325967..d7af24d68bbb 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -496,7 +496,7 @@ static int snd_compress_check_input(struct snd_compr_params *params) { /* first let's check the buffer parameter's */ if (params->buffer.fragment_size == 0 || - params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) + params->buffer.fragments > INT_MAX / params->buffer.fragment_size) return -EINVAL; /* now codec parameters */ |