[alsa-devel] [patch] ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
Dan Carpenter
dan.carpenter at oracle.com
Wed Sep 5 14:32:18 CEST 2012
These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index ec2118d..5a733e7 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -409,6 +409,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
unsigned int buffer_size;
void *buffer;
+ if (params->buffer.fragment_size == 0 ||
+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+ return -EINVAL;
+
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
if (stream->ops->copy) {
buffer = NULL;
More information about the Alsa-devel
mailing list