ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()

These are 32 bit values that come from the user, we need to check for integer overflows or we could end up allocating a smaller buffer than expected. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2024-11-17 09:31:50 +00:00 · 2012-09-05 15:32:18 +03:00 · 2012-09-05 15:32:18 +03:00 · b35cc82258
commit b35cc82258
parent 1dac6695c6
1 changed files with 4 additions and 0 deletions
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
 	unsigned int buffer_size;
 	void *buffer;

+	if (params->buffer.fragment_size == 0 ||
+	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+		return -EINVAL;
+
 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
 	if (stream->ops->copy) {
 		buffer = NULL;