diff options
| author | Bubble Fang <bubblefang@google.com> | 2023-09-04 07:09:25 +0000 |
|---|---|---|
| committer | Bubble Fang <bubblefang@google.com> | 2023-09-26 06:40:08 +0000 |
| commit | a37ceaedf6fa842c011130b3558e86dbafa2893e (patch) | |
| tree | 5a0245d86c675ee1f033e580df4283f486c67fc7 | |
| parent | df1e0e6426824a5f87e31c1cd71254e492cc3644 (diff) | |
| download | msm-extra-a37ceaedf6fa842c011130b3558e86dbafa2893e.tar.gz | |
dsp: q6core: Avoid OOB access in q6core
"num_services", a signed integer when compared
with constant results in conversion of signed integer
to max possible unsigned int value when "num_services"
is a negative value. This can lead to OOB read.
Fix is to handle this case.
Bug: 295052084
Change-Id: I6b3a2939451bea905bdbf02015be294af1867b96
Signed-off-by: Bubble Fang <bubblefang@google.com>
| -rw-r--r-- | dsp/q6core.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/dsp/q6core.c b/dsp/q6core.c index dae0a03c..a58a03b3 100644 --- a/dsp/q6core.c +++ b/dsp/q6core.c @@ -205,7 +205,7 @@ EXPORT_SYMBOL(q6core_send_uevent); static int parse_fwk_version_info(uint32_t *payload, uint16_t payload_size) { size_t ver_size; - int num_services; + uint16_t num_services; pr_debug("%s: Payload info num services %d\n", __func__, payload[4]); |