Skip to content

Commit

Permalink
ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
Browse files Browse the repository at this point in the history 
These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
  • Loading branch information
Dan Carpenter authored and Takashi Iwai committed Sep 14, 2012
1 parent 1dac669 commit b35cc82
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions sound/core/compress_offload.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
unsigned int buffer_size;
void *buffer;

if (params->buffer.fragment_size == 0 ||
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
return -EINVAL;

buffer_size = params->buffer.fragment_size * params->buffer.fragments;
if (stream->ops->copy) {
buffer = NULL;
Expand Down

0 comments on commit b35cc82

Please sign in to comment.