On Tue, Feb 02, 2021 at 12:38:09PM +0100, Christian Gromm wrote:
> This patch zero checks the function parameter 'bytes' before doing the
> subtraction to prevent memory corruption.
>
> Signed-off-by: Christian Gromm <christian.gromm@xxxxxxxxxxxxx>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/staging/most/sound/sound.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/staging/most/sound/sound.c b/drivers/staging/most/sound/sound.c
> index 3a1a590..953a4fe 100644
> --- a/drivers/staging/most/sound/sound.c
> +++ b/drivers/staging/most/sound/sound.c
> @@ -86,6 +86,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned int bytes)
> {
> unsigned int i = 0;
>
> + if (!bytes)
> + return;
> while (i < bytes - 2) {
If "bytes == 1" then this will cause problems still. "bytes - 2"
becomes UINT_MAX. I mean probably that's not possible but we may as
well make the sanity check if (bytes < 2) just for readability.
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
