ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 5 Sep 2012 12:32:18 +0000 (15:32 +0300)
committerTakashi Iwai <tiwai@suse.de>
Fri, 14 Sep 2012 09:04:37 +0000 (11:04 +0200)
These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
sound/core/compress_offload.c

index eb60cb8dbb8a6f12d965912e923197cdd2f4e8b5..68fe02c7400a29c8b4584b45a44ed75205950b2b 100644 (file)
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
        unsigned int buffer_size;
        void *buffer;
 
+       if (params->buffer.fragment_size == 0 ||
+           params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+               return -EINVAL;
+
        buffer_size = params->buffer.fragment_size * params->buffer.fragments;
        if (stream->ops->copy) {
                buffer = NULL;