From a1beff31cf3b220b7c983c1933ad5dbd438f89fc Mon Sep 17 00:00:00 2001
From: Tobias Tefke <tobias.tefke@gmail.com>
Date: Tue, 5 Sep 2017 09:58:36 +0200
Subject: Fix CVE-2012-6703 (integer overflow in ALSA subsystem)

Change-Id: I995b152a3766ebb8faec244849d90d7d2bd5c672
---
 sound/core/compress_offload.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 49a44d761..ab2d0ee74 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -468,6 +468,11 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
 	unsigned int buffer_size;
 	void *buffer;
 
+	/* check for integer overflows */
+	if(params->buffer.fragment_size == 0 ||
+		params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+			return -EINVAL;
+
 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
 	if (stream->ops->copy) {
 		buffer = NULL;
-- 
cgit v1.2.3