On Tue, 28 May 2019 07:27:03 +0200, bgoswami@codeaurora.org wrote:
From: Phani Kumar Uppalapati phaniu@codeaurora.org
Channel info data structure is parsed from userspace and if the number of channels is not set correctly, it could lead to integer overflow when the number of channels is multiplied with pcm bit width. Add a condition to check for integer overflow during the multiplication operationi, and return error if overflow detected.
Signed-off-by: Phani Kumar Uppalapati phaniu@codeaurora.org Signed-off-by: Banajit Goswami bgoswami@codeaurora.org
Did you really hit this?
The info->channel value is already checked in snd_pcm_channel_info() before calling the ioctl ops, to the upper bound runtime->channels. So it shouldn't overflow at the point you suggested.
thanks,
Takashi