[alsa-devel] [patch] ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
Takashi Iwai
tiwai at suse.de
Wed Sep 5 15:40:06 CEST 2012
At Wed, 5 Sep 2012 15:32:18 +0300,
Dan Carpenter wrote:
>
> These are 32 bit values that come from the user, we need to check for
> integer overflows or we could end up allocating a smaller buffer than
> expected.
The buffer size here is supposed to be fairly small that kmalloc can
handle. So, the overflow check is good, but in practice it'd return
-ENOMEM. Of course, it's fine to put the sanity check, but such
checks could be better peformed in snd_compr_set_params() before
calling the allocation, I think.
thanks,
Takashi
>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
>
> diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
> index ec2118d..5a733e7 100644
> --- a/sound/core/compress_offload.c
> +++ b/sound/core/compress_offload.c
> @@ -409,6 +409,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
> unsigned int buffer_size;
> void *buffer;
>
> + if (params->buffer.fragment_size == 0 ||
> + params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
> + return -EINVAL;
> +
> buffer_size = params->buffer.fragment_size * params->buffer.fragments;
> if (stream->ops->copy) {
> buffer = NULL;
>
More information about the Alsa-devel
mailing list