From a37ceaedf6fa842c011130b3558e86dbafa2893e Mon Sep 17 00:00:00 2001
From: Bubble Fang <bubblefang@google.com>
Date: Mon, 4 Sep 2023 07:09:25 +0000
Subject: dsp: q6core: Avoid OOB access in q6core

"num_services", a signed integer when compared
with constant results in conversion of signed integer
to max possible unsigned int value when "num_services"
is a negative value. This can lead to OOB read.
Fix is to handle this case.

Bug: 295052084
Change-Id: I6b3a2939451bea905bdbf02015be294af1867b96
Signed-off-by: Bubble Fang <bubblefang@google.com>
---
 dsp/q6core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dsp/q6core.c b/dsp/q6core.c
index dae0a03c..a58a03b3 100644
--- a/dsp/q6core.c
+++ b/dsp/q6core.c
@@ -205,7 +205,7 @@ EXPORT_SYMBOL(q6core_send_uevent);
 static int parse_fwk_version_info(uint32_t *payload, uint16_t payload_size)
 {
 	size_t ver_size;
-	int num_services;
+	uint16_t num_services;
 
 	pr_debug("%s: Payload info num services %d\n",
 		 __func__, payload[4]);
-- 
cgit v1.2.3