diff options
| author | Soumya Managoli <quic_c_smanag@quicinc.com> | 2023-09-01 13:11:33 +0530 |
|---|---|---|
| committer | Georg Veichtlbauer <georg@vware.at> | 2023-11-08 17:53:52 +0100 |
| commit | 902623421e7f00863589edf3c7feb2ec5a7b22ed (patch) | |
| tree | 78f8cbebb9203355aca787634e1b8d1ba6222457 | |
| parent | 68b3292feb853cd8e5396504da46d4e41183dd2a (diff) | |
dsp: afe: Add check for sidetone iir config copy size.
Avoid OOB access of sidetone iir config array when
iir_num_biquad_stages returned from cal block is > 10
Change-Id: I45b95e8bdd1a993a526590c94cf2f9a85c12af37
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6afe.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6afe.c b/sound/soc/msm/qdsp6v2/q6afe.c index 610604fcfe15..21370dbadb5b 100644 --- a/sound/soc/msm/qdsp6v2/q6afe.c +++ b/sound/soc/msm/qdsp6v2/q6afe.c @@ -5475,6 +5475,13 @@ static int afe_sidetone_iir(u16 tx_port_id) pr_debug("%s: adding 2 to size:%d\n", __func__, size); size = size + 2; } + + if (size > MAX_SIDETONE_IIR_DATA_SIZE) { + pr_err("%s: iir_config size is out of bounds:%d\n", __func__, size); + mutex_unlock(&this_afe.cal_data[cal_index]->lock); + ret = -EINVAL; + goto done; + } memcpy(&filter_data.iir_config, &st_iir_cal_info->iir_config, size); mutex_unlock(&this_afe.cal_data[cal_index]->lock); |