joel16/android_kernel_sony_msm8994
1
0
Fork 0
mirror of https://github.com/joel16/android_kernel_sony_msm8994.git synced 2024-11-27 14:11:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()

Browse Source 
These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Dan Carpenter 2012-09-05 15:32:18 +03:00 committed by Olivier Karasangabo
parent 2ac436a711
commit 5e33183da8
No known key found for this signature in database
GPG Key ID: C5C93AF8ED1CCEB5
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sound/core/compress_offload.c
View File

@ -474,6 +474,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
unsigned int buffer_size;
void *buffer;
if (params->buffer.fragment_size == 0 ||
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
return -EINVAL;
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
if (stream->ops->copy) {
buffer = NULL;