From b35cc8225845112a616e3a2266d2fde5ab13d3ab Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 5 Sep 2012 15:32:18 +0300 Subject: [PATCH] ALSA: compress_core: integer overflow in snd_compr_allocate_buffer() These are 32 bit values that come from the user, we need to check for integer overflows or we could end up allocating a smaller buffer than expected. Signed-off-by: Dan Carpenter Signed-off-by: Takashi Iwai --- sound/core/compress_offload.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index eb60cb8dbb8a..68fe02c7400a 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, unsigned int buffer_size; void *buffer; + if (params->buffer.fragment_size == 0 || + params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) + return -EINVAL; + buffer_size = params->buffer.fragment_size * params->buffer.fragments; if (stream->ops->copy) { buffer = NULL;