diff options
author | Bubble Fang <bubblefang@google.com> | 2023-12-26 04:06:03 +0000 |
---|---|---|
committer | Bubble Fang <bubblefang@google.com> | 2023-12-26 04:06:03 +0000 |
commit | c35496b5e46be6b2569009192df260dfa1620473 (patch) | |
tree | 63b8b6f881200698987c4e7e6ca84b24fae232ed | |
parent | b7c7bc30e7526dd07ca835bf7f534e1afc68c162 (diff) | |
download | msm-extra-c35496b5e46be6b2569009192df260dfa1620473.tar.gz |
ASoC: msm-lsm-client: Integer overflow checkandroid-u-qpr2-beta-3.1_r0.6android-14.0.0_r0.58android-msm-redbull-4.19-android14-qpr2-beta
Added integer overflow check for lsm_params_get_info size.
Bug: 309462484
Change-Id: Ide4ec94a2fa6c21d40b1101d8b05b5f7931075c8
Signed-off-by: Bubble Fang <bubblefang@google.com>
-rw-r--r-- | asoc/msm-lsm-client.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/asoc/msm-lsm-client.c b/asoc/msm-lsm-client.c index b90aede7..2440d548 100644 --- a/asoc/msm-lsm-client.c +++ b/asoc/msm-lsm-client.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2013-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. */ #include <linux/init.h> #include <linux/err.h> @@ -2425,6 +2426,15 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, err = -EFAULT; goto done; } + + if (temp_p_info.param_size > 0 && + ((INT_MAX - sizeof(temp_p_info)) < + temp_p_info.param_size)) { + pr_err("%s: Integer overflow\n", __func__); + err = -EINVAL; + goto done; + } + size = sizeof(temp_p_info) + temp_p_info.param_size; p_info = kzalloc(size, GFP_KERNEL); |