diff options
| author | Abinath S <quic_abins@quicinc.com> | 2024-05-17 18:12:15 +0530 |
|---|---|---|
| committer | Abinath S <quic_abins@quicinc.com> | 2024-05-27 09:52:46 +0530 |
| commit | daec7e0637ee2c6d5a05460d1afa36b22e97b418 (patch) | |
| tree | e7f01a13eddb7a51e07a60d14c7cc527e4ce41d5 | |
| parent | 605b4ceebfedc27d6b83ab4f0337973e43e02cc3 (diff) | |
dsp: q6voice: Adds checks for an integer overflow
there is no check for cvs_voc_pkt[2],when receives
0xffffffff from ADSP which results in an integer overflow
Fix is to address this.
Change-Id: I9a85544a51a3edfe5f0b86efc62bd86f98e88c24
Signed-off-by: Abinath S <quic_abins@quicinc.com>
(cherry picked from commit 4524418cd14dce47e4ea7234618f919e28dbbe5a)
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6voice.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6voice.c b/sound/soc/msm/qdsp6v2/q6voice.c index 2f8e76844a67..54931f58d92f 100644 --- a/sound/soc/msm/qdsp6v2/q6voice.c +++ b/sound/soc/msm/qdsp6v2/q6voice.c @@ -1,5 +1,5 @@ /* Copyright (c) 2012-2018, 2020, The Linux Foundation. All rights reserved. - * + * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and * only version 2 as published by the Free Software Foundation. @@ -17,6 +17,7 @@ #include <linux/wait.h> #include <linux/mutex.h> #include <linux/msm_audio_ion.h> +#include <linux/overflow.h> #include <soc/qcom/socinfo.h> #include <linux/qdsp6v2/apr_tal.h> @@ -6770,7 +6771,7 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_READY) { int ret = 0; u16 cvs_handle; - uint32_t *cvs_voc_pkt; + uint32_t *cvs_voc_pkt, tot_buf_sz; struct cvs_enc_buffer_consumed_cmd send_enc_buf_consumed_cmd; void *apr_cvs; @@ -6799,9 +6800,15 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_CONSUMED; cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data; + + if (__unsigned_add_overflow(cvs_voc_pkt[2], + (uint32_t)(3 * sizeof(uint32_t)), &tot_buf_sz)) { + pr_err("%s: integer overflow detected\n", __func__); + return -EINVAL; + } + if (cvs_voc_pkt != NULL && common.mvs_info.ul_cb != NULL) { - if (v->shmem_info.sh_buf.buf[1].size < - ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) { + if (v->shmem_info.sh_buf.buf[1].size < tot_buf_sz) { pr_err("%s: invalid voc pkt size\n", __func__); return -EINVAL; } |