diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2014-07-16 02:37:04 -0400 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2014-07-16 09:27:03 -0400 |
| commit | 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 (patch) | |
| tree | 568d58db520a580ce8070d55d695ec854d8d9bea | |
| parent | 892028acf020e5f9f8e8894b404400b360f5fe4f (diff) | |
ALSA: compress: fix an integer overflow check
I previously added an integer overflow check here but looking at it now,
it's still buggy.
The bug happens in snd_compr_allocate_buffer(). We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.
Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
| -rw-r--r-- | sound/core/compress_offload.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 7403f348ed14..89028fab64fd 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c | |||
| @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params) | |||
| 491 | { | 491 | { |
| 492 | /* first let's check the buffer parameter's */ | 492 | /* first let's check the buffer parameter's */ |
| 493 | if (params->buffer.fragment_size == 0 || | 493 | if (params->buffer.fragment_size == 0 || |
| 494 | params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) | 494 | params->buffer.fragments > INT_MAX / params->buffer.fragment_size) |
| 495 | return -EINVAL; | 495 | return -EINVAL; |
| 496 | 496 | ||
| 497 | /* now codec parameters */ | 497 | /* now codec parameters */ |