Skip to content

Commit 6217e5e

Browse files
Dan Carpentertiwai
Dan Carpenter
authored andcommitted
ALSA: compress: fix an integer overflow check
I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc82 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 parent 892028a commit 6217e5e

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Diff for: sound/core/compress_offload.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
491491
{
492492
/* first let's check the buffer parameter's */
493493
if (params->buffer.fragment_size == 0 ||
494-
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
494+
params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
495495
return -EINVAL;
496496

497497
/* now codec parameters */

0 commit comments

Comments
 (0)