summaryrefslogtreecommitdiff
path: root/sound/core
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2012-09-05 16:32:18 +0400
committerTakashi Iwai <tiwai@suse.de>2012-09-14 13:04:37 +0400
commitb35cc8225845112a616e3a2266d2fde5ab13d3ab (patch)
tree57156aa83f8989189914d9b8a78ae226fd2a6023 /sound/core
parent1dac6695c683c66d0cff10a84c6ed10dbbaabc18 (diff)
downloadlinux-b35cc8225845112a616e3a2266d2fde5ab13d3ab.tar.xz
ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
These are 32 bit values that come from the user, we need to check for integer overflows or we could end up allocating a smaller buffer than expected. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/core')
-rw-r--r--sound/core/compress_offload.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index eb60cb8dbb8a..68fe02c7400a 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
unsigned int buffer_size;
void *buffer;
+ if (params->buffer.fragment_size == 0 ||
+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+ return -EINVAL;
+
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
if (stream->ops->copy) {
buffer = NULL;