On Fri, May 13, 2016 at 05:25:47PM +0530, Vinod Koul wrote:
> + /* Get the FW pointer to derive ADSP header */
> + buf = ctx->fw->data;
> + adsp_hdr = (struct adsp_fw_hdr *)(buf + SKL_ADSP_FW_BIN_HDR_OFFSET);
> + mod_entry = (struct adsp_module_entry *)
> + (buf + SKL_ADSP_FW_BIN_HDR_OFFSET + adsp_hdr->header_len);
What if we somehow managed to end up with a zero length firmware (or
something smaller than these headers)?
> + /*
> + * we check if current pointer is larger than file size from
> + * base value to check excceding the file while parsing
> + */
> + if ((const char *)mod_entry >= buf + ctx->fw->size) {
> + dev_err(ctx->dev,
> + "Exceeds file bound: Entry %d Ptr %p\n",
> + i, mod_entry);
> +
> + return -EIO;
> + }
This checks the start of the entry but it still lets us read beyond the
end of the file.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
