ASoC: msm-lsm-client: Integer overflow checkandroid-u-qpr2-beta-3.1_r0.6android-14.0.0_r0.58android-msm-redbull-4.19-android14-qpr2-beta

Added integer overflow check for lsm_params_get_info size.

Bug: 309462484
Change-Id: Ide4ec94a2fa6c21d40b1101d8b05b5f7931075c8
Signed-off-by: Bubble Fang <bubblefang@google.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/asoc/msm-lsm-client.c b/asoc/msm-lsm-client.c
index b90aede7..2440d548 100644
--- a/asoc/msm-lsm-client.c
+++ b/asoc/msm-lsm-client.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2013-2020, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 #include <linux/init.h>
 #include <linux/err.h>
@@ -2425,6 +2426,15 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
 			err = -EFAULT;
 			goto done;
 		}
+
+		if (temp_p_info.param_size > 0 &&
+			((INT_MAX - sizeof(temp_p_info)) <
+				temp_p_info.param_size)) {
+			pr_err("%s: Integer overflow\n", __func__);
+			err = -EINVAL;
+			goto done;
+		}
+
 		size = sizeof(temp_p_info) + temp_p_info.param_size;
 		p_info = kzalloc(size, GFP_KERNEL);