Commit b35cc822 authored by Dan Carpenter's avatar Dan Carpenter Committed by Takashi Iwai

ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()

These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 1dac6695
...@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, ...@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
unsigned int buffer_size; unsigned int buffer_size;
void *buffer; void *buffer;
if (params->buffer.fragment_size == 0 ||
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
return -EINVAL;
buffer_size = params->buffer.fragment_size * params->buffer.fragments; buffer_size = params->buffer.fragment_size * params->buffer.fragments;
if (stream->ops->copy) { if (stream->ops->copy) {
buffer = NULL; buffer = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment