Skip to content
Permalink
Browse files Browse the repository at this point in the history
ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
  • Loading branch information
Dan Carpenter authored and tiwai committed Sep 14, 2012
1 parent 1dac669 commit b35cc82
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions sound/core/compress_offload.c
Expand Up @@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
unsigned int buffer_size;
void *buffer;

if (params->buffer.fragment_size == 0 ||
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
return -EINVAL;

buffer_size = params->buffer.fragment_size * params->buffer.fragments;
if (stream->ops->copy) {
buffer = NULL;
Expand Down

0 comments on commit b35cc82

Please sign in to comment.