wavefront_fx.c utilizes memdup_user() to copy a userspace array. This does not check for an overflow.
Use the new wrapper memdup_array_user() to copy the array more safely.
Suggested-by: Dave Airlie airlied@redhat.com Signed-off-by: Philipp Stanner pstanner@redhat.com --- sound/isa/wavefront/wavefront_fx.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/isa/wavefront/wavefront_fx.c b/sound/isa/wavefront/wavefront_fx.c index 3c21324b2a0e..0273b7dfaf12 100644 --- a/sound/isa/wavefront/wavefront_fx.c +++ b/sound/isa/wavefront/wavefront_fx.c @@ -191,9 +191,9 @@ snd_wavefront_fx_ioctl (struct snd_hwdep *sdev, struct file *file, "> 512 bytes to FX\n"); return -EIO; } - page_data = memdup_user((unsigned char __user *) - r.data[3], - r.data[2] * sizeof(short)); + page_data = memdup_array_user((unsigned char __user *) + r.data[3], + r.data[2], sizeof(short)); if (IS_ERR(page_data)) return PTR_ERR(page_data); pd = page_data;