Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-10 07:00:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ALSA: compress: fix an integer overflow check

Browse Source 
I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Dan Carpenter 2014-07-16 09:37:04 +03:00 committed by Takashi Iwai
parent 892028acf0
commit 6217e5ede2
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sound/core/compress_offload.c
View File

@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
{ {
/* first let's check the buffer parameter's */ /* first let's check the buffer parameter's */
if (params->buffer.fragment_size == 0 || if (params->buffer.fragment_size == 0 ||
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
return -EINVAL; return -EINVAL;
/* now codec parameters */ /* now codec parameters */