forked from luck/tmp_suning_uos_patched
ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
These are 32 bit values that come from the user, we need to check for integer overflows or we could end up allocating a smaller buffer than expected. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
parent
1dac6695c6
commit
b35cc82258
|
@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
|
|||
unsigned int buffer_size;
|
||||
void *buffer;
|
||||
|
||||
if (params->buffer.fragment_size == 0 ||
|
||||
params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
|
||||
return -EINVAL;
|
||||
|
||||
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
|
||||
if (stream->ops->copy) {
|
||||
buffer = NULL;
|
||||
|
|
Loading…
Reference in New Issue
Block a user