diff options
| author | Soumya Managoli <quic_c_smanag@quicinc.com> | 2023-09-01 13:11:33 +0530 |
|---|---|---|
| committer | esubrama <quic_esubrama@quicinc.com> | 2023-09-05 03:47:08 -0700 |
| commit | 7f5bd7bd2b8863e4053b3deb650ebfb61dbd9dcc (patch) | |
| tree | 903b52c9f114f3fe69285321b816d57af2f3dcfe | |
| parent | 73ed2e10eae1d2d7c9ba7d223933e2d9bd101f07 (diff) | |
dsp: afe: Add check for sidetone iir config copy size.
Avoid OOB access of sidetone iir config array when
iir_num_biquad_stages returned from cal block is > 10
Change-Id: I45b95e8bdd1a993a526590c94cf2f9a85c12af37
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6afe.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6afe.c b/sound/soc/msm/qdsp6v2/q6afe.c index 610604fcfe15..21370dbadb5b 100644 --- a/sound/soc/msm/qdsp6v2/q6afe.c +++ b/sound/soc/msm/qdsp6v2/q6afe.c @@ -5475,6 +5475,13 @@ static int afe_sidetone_iir(u16 tx_port_id) pr_debug("%s: adding 2 to size:%d\n", __func__, size); size = size + 2; } + + if (size > MAX_SIDETONE_IIR_DATA_SIZE) { + pr_err("%s: iir_config size is out of bounds:%d\n", __func__, size); + mutex_unlock(&this_afe.cal_data[cal_index]->lock); + ret = -EINVAL; + goto done; + } memcpy(&filter_data.iir_config, &st_iir_cal_info->iir_config, size); mutex_unlock(&this_afe.cal_data[cal_index]->lock); |