diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2012-09-05 14:32:18 +0200 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2012-09-14 11:04:37 +0200 |
commit | b35cc8225845112a616e3a2266d2fde5ab13d3ab (patch) | |
tree | 57156aa83f8989189914d9b8a78ae226fd2a6023 /sound/core | |
parent | ALSA: hda - Allow to pass position_fix=0 explicitly (diff) | |
download | linux-b35cc8225845112a616e3a2266d2fde5ab13d3ab.tar.xz linux-b35cc8225845112a616e3a2266d2fde5ab13d3ab.zip |
ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/core')
-rw-r--r-- | sound/core/compress_offload.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index eb60cb8dbb8a..68fe02c7400a 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, unsigned int buffer_size; void *buffer; + if (params->buffer.fragment_size == 0 || + params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) + return -EINVAL; + buffer_size = params->buffer.fragment_size * params->buffer.fragments; if (stream->ops->copy) { buffer = NULL; |