ALSA: rawmidi: Avoid OOB access to runtime buffer

The hardware and application ptrs must be less than buffer_size or there
will be an out-of-bound access as they are used as offsets into the buffer.
Additionally the difference between buffer_size and those pointers is
taken and passed to `memcpy` which would turn the negative value into a
large positive value also overflowing the buffer.
This can happen if the new buffer_size of the ioctl is less than the old
one which updates buffer_size but does not reset the ptrs.

Contained in
01b6ca65e10f2 ("ALSA: rawmidi: Change resized buffers atomically")
but lost due to a merge conflict with
742017e8de6a8 ("ANDROID: sound: rawmidi: Hold lock around realloc")

Fixes: 08e780103611f ("Merge branch 'android-4.4-p'")
Change-Id: Ibc0e1ae3eb8691d5865e2146367699ac119d6935

1 files changed, 2 insertions, 0 deletions

diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 11fdc1d9797e..1b00d9a084b3 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -676,6 +676,7 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
 		runtime->buffer = newbuf;
 		runtime->buffer_size = params->buffer_size;
 		runtime->avail = runtime->buffer_size;
+		runtime->appl_ptr = runtime->hw_ptr = 0;
 		spin_unlock_irqrestore(&runtime->lock, flags);
 		if (oldbuf != newbuf)
 			kfree(oldbuf);
@@ -714,6 +715,7 @@ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
 		oldbuf = runtime->buffer;
 		runtime->buffer = newbuf;
 		runtime->buffer_size = params->buffer_size;
+		runtime->appl_ptr = runtime->hw_ptr = 0;
 		spin_unlock_irqrestore(&runtime->lock, flags);
 		if (oldbuf != newbuf)
 			kfree(oldbuf);