ALSA: compress: fix an integer overflow check

I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
author: Dan Carpenter <dan.carpenter@oracle.com> 2014-07-16 09:37:04 +0300
committer: Moyster <oysterized@gmail.com> 2016-11-07 13:46:52 +0100
commit: bb223cd40a20cfb76954186bc3468af10a6fdae0 (patch)
tree: 72af5a4d0309686e0b9e57b158d5546e3a78f47b /sound/core
parent: 2ca3197bcb410eb16e4645abd8cbbcec2a077e99 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 1af5f9910..df35cbfee 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -490,7 +490,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
 {
 	/* first let's check the buffer parameter's */
 	if (params->buffer.fragment_size == 0 ||
-			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
 		return -EINVAL;
 
 	/* now codec parameters */
author	Dan Carpenter <dan.carpenter@oracle.com>	2014-07-16 09:37:04 +0300
committer	Moyster <oysterized@gmail.com>	2016-11-07 13:46:52 +0100
commit	bb223cd40a20cfb76954186bc3468af10a6fdae0 (patch)
tree	72af5a4d0309686e0b9e57b158d5546e3a78f47b /sound/core
parent	2ca3197bcb410eb16e4645abd8cbbcec2a077e99 (diff)