diff options
| author | Phani Kumar Uppalapati <phaniu@codeaurora.org> | 2013-09-26 12:27:56 -0700 |
|---|---|---|
| committer | David Keitel <dkeitel@codeaurora.org> | 2016-03-23 20:10:18 -0700 |
| commit | 6ba6d2e98322dd4d8ea07b39d5129671c403ec03 (patch) | |
| tree | 98e886d8e02053442990d8ccb841f4f5e7563316 | |
| parent | f928605b0e173bc4b9614375820bd91ed1ee095e (diff) | |
ALSA: pcm: check for integer overflow during multiplication
Channel info data structure is parsed from userspace and if
user does not set the no. of channels correctly, it could lead
to security vulnerability if we don't check for overflow when the
no. of channels is multiplied with pcm bit width. Add a condition
to check for overflow during multiplication.
CRs-fixed: 537818
Change-Id: Ib9631b6e45d77b39be2c27343d4aee3e9244d8cc
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
| -rw-r--r-- | sound/core/pcm_lib.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c index 678b96aec203..0632ebf0d971 100644 --- a/sound/core/pcm_lib.c +++ b/sound/core/pcm_lib.c @@ -1792,6 +1792,11 @@ static int snd_pcm_lib_ioctl_channel_info(struct snd_pcm_substream *substream, switch (runtime->access) { case SNDRV_PCM_ACCESS_MMAP_INTERLEAVED: case SNDRV_PCM_ACCESS_RW_INTERLEAVED: + if ((UINT_MAX/width) < info->channel) { + snd_printd("%s: integer overflow while multiply\n", + __func__); + return -EINVAL; + } info->first = info->channel * width; info->step = runtime->channels * width; break; @@ -1799,6 +1804,12 @@ static int snd_pcm_lib_ioctl_channel_info(struct snd_pcm_substream *substream, case SNDRV_PCM_ACCESS_RW_NONINTERLEAVED: { size_t size = runtime->dma_bytes / runtime->channels; + + if ((size > 0) && ((UINT_MAX/(size * 8)) < info->channel)) { + snd_printd("%s: integer overflow while multiply\n", + __func__); + return -EINVAL; + } info->first = info->channel * size * 8; info->step = width; break; |