Skip to content
Permalink
Browse files Browse the repository at this point in the history
ALSA: compress: fix an integer overflow check
I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Fixes: b35cc82 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
  • Loading branch information
Dan Carpenter authored and tiwai committed Jul 16, 2014
1 parent 892028a commit 6217e5e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion sound/core/compress_offload.c
Expand Up @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
{
/* first let's check the buffer parameter's */
if (params->buffer.fragment_size == 0 ||
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
return -EINVAL;

/* now codec parameters */
Expand Down

0 comments on commit 6217e5e

Please sign in to comment.