Fix CVE-2012-6703 (integer overflow in ALSA subsystem)

Change-Id: I995b152a3766ebb8faec244849d90d7d2bd5c672
author: Tobias Tefke <tobias.tefke@gmail.com> 2017-09-05 09:58:36 +0200
committer: Mister Oyster <oysterized@gmail.com> 2017-09-05 15:31:46 +0200
commit: a1beff31cf3b220b7c983c1933ad5dbd438f89fc (patch)
tree: f4ef400f8b5a3d4ac43d4d2f947e816f4f03333b /sound
parent: f710aae4b3308d26962cc41a9645020d04074fa7 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 49a44d761..ab2d0ee74 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -468,6 +468,11 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
 	unsigned int buffer_size;
 	void *buffer;
 
+	/* check for integer overflows */
+	if(params->buffer.fragment_size == 0 ||
+		params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+			return -EINVAL;
+
 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
 	if (stream->ops->copy) {
 		buffer = NULL;
author	Tobias Tefke <tobias.tefke@gmail.com>	2017-09-05 09:58:36 +0200
committer	Mister Oyster <oysterized@gmail.com>	2017-09-05 15:31:46 +0200
commit	a1beff31cf3b220b7c983c1933ad5dbd438f89fc (patch)
tree	f4ef400f8b5a3d4ac43d4d2f947e816f4f03333b /sound
parent	f710aae4b3308d26962cc41a9645020d04074fa7 (diff)