[alsa-devel] [PATCH] ALSA: pcm: Check for integer overflow during multiplication
bgoswami at codeaurora.org
bgoswami at codeaurora.org
Tue May 28 07:27:03 CEST 2019
From: Phani Kumar Uppalapati <phaniu at codeaurora.org>
Channel info data structure is parsed from userspace and if
the number of channels is not set correctly, it could lead
to integer overflow when the number of channels is multiplied
with pcm bit width. Add a condition to check for integer
overflow during the multiplication operationi, and return error
if overflow detected.
Signed-off-by: Phani Kumar Uppalapati <phaniu at codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami at codeaurora.org>
---
sound/core/pcm_lib.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
index 345ab1a..f45ae3a 100644
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1718,6 +1718,11 @@ static int snd_pcm_lib_ioctl_channel_info(struct snd_pcm_substream *substream,
switch (runtime->access) {
case SNDRV_PCM_ACCESS_MMAP_INTERLEAVED:
case SNDRV_PCM_ACCESS_RW_INTERLEAVED:
+ if ((UINT_MAX/width) < info->channel) {
+ snd_printd("%s: integer overflow in multiplication\n",
+ __func__);
+ return -EINVAL;
+ }
info->first = info->channel * width;
info->step = runtime->channels * width;
break;
@@ -1725,6 +1730,12 @@ static int snd_pcm_lib_ioctl_channel_info(struct snd_pcm_substream *substream,
case SNDRV_PCM_ACCESS_RW_NONINTERLEAVED:
{
size_t size = runtime->dma_bytes / runtime->channels;
+
+ if ((size > 0) && ((UINT_MAX/(size * 8)) < info->channel)) {
+ snd_printd("%s: integer overflow in multiplication\n",
+ __func__);
+ return -EINVAL;
+ }
info->first = info->channel * size * 8;
info->step = width;
break;
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project
More information about the Alsa-devel
mailing list