Skip to content

Commit b35cc82

Browse files
Dan Carpentertiwai
Dan Carpenter
authored andcommitted
ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
These are 32 bit values that come from the user, we need to check for integer overflows or we could end up allocating a smaller buffer than expected. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 parent 1dac669 commit b35cc82

File tree

1 file changed

+4
-0
lines changed

1 file changed

+4
-0
lines changed

Diff for: sound/core/compress_offload.c

+4
Original file line numberDiff line numberDiff line change
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
407407
unsigned int buffer_size;
408408
void *buffer;
409409

410+
if (params->buffer.fragment_size == 0 ||
411+
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
412+
return -EINVAL;
413+
410414
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
411415
if (stream->ops->copy) {
412416
buffer = NULL;

0 commit comments

Comments
 (0)