diff options
| author | Karthik Reddy Katta <a_katta@codeaurora.org> | 2016-09-07 18:02:23 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-09-10 04:49:15 -0700 |
| commit | 287879c3beb3e50decdbec07895d0698d7212a9a (patch) | |
| tree | 3f95a730f76b3531a4b2ab77a4568b97798dabe8 /drivers/misc | |
| parent | 2590d5faf4d6ffdad54aefc8c213731831e0e65f (diff) | |
ASoC: msm: Add Buffer overflow check
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
CRs-Fixed: 1064411
Change-Id: I54c28a8942cf1a6a47a4e8272f3159b35d753ead
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
Diffstat (limited to 'drivers/misc')
| -rw-r--r-- | drivers/misc/qcom/qdsp6v2/audio_utils.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c index cad0220a4960..065b426ca6d0 100644 --- a/drivers/misc/qcom/qdsp6v2/audio_utils.c +++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -24,6 +24,15 @@ #include <asm/ioctls.h> #include "audio_utils.h" +/* + * Define maximum buffer size. Below values are chosen considering the higher + * values used among all native drivers. + */ +#define MAX_FRAME_SIZE 1536 +#define MAX_FRAMES 5 +#define META_SIZE (sizeof(struct meta_out_dsp)) +#define MAX_BUFFER_SIZE (1 + ((MAX_FRAME_SIZE + META_SIZE) * MAX_FRAMES)) + static int audio_in_pause(struct q6audio_in *audio) { int rc; @@ -329,6 +338,10 @@ long audio_in_ioctl(struct file *file, rc = -EINVAL; break; } + if (cfg.buffer_size > MAX_BUFFER_SIZE) { + rc = -EINVAL; + break; + } audio->str_cfg.buffer_size = cfg.buffer_size; audio->str_cfg.buffer_count = cfg.buffer_count; if (audio->opened) { |