At Wed, 16 Jul 2014 09:37:04 +0300,
Dan Carpenter wrote:
>
> I previously added an integer overflow check here but looking at it now,
> it's still buggy.
>
> The bug happens in snd_compr_allocate_buffer(). We multiply
> ".fragments" and ".fragment_size" and that doesn't overflow but then we
> save it in an unsigned int so it truncates the high bits away and we
> allocate a smaller than expected size.
>
> Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> The other option would be to declare buffer_size as size_t instead of
> an unsigned int. This feels like a safer fix though.
Agreed, I took the patch now as is. Thanks.
Takashi
>
> diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
> index 7403f34..89028fa 100644
> --- a/sound/core/compress_offload.c
> +++ b/sound/core/compress_offload.c
> @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
> {
> /* first let's check the buffer parameter's */
> if (params->buffer.fragment_size == 0 ||
> - params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
> + params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
> return -EINVAL;
>
> /* now codec parameters */
>
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
