ALSA: compress: fix an integer overflow check

I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc822 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Takashi Iwai <tiwai@suse.de>

ALSA: compress: fix an integer overflow check
I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc822 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Takashi Iwai <tiwai@suse.de>
6217e5ed · Dan Carpenter · Takashi Iwai · 892028ac · 6217e5ed
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

sound/core/compress_offload.c sound/core/compress_offload.c +1 -1

未找到文件。
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
 {
 	/* first let's check the buffer parameter's */
 	if (params->buffer.fragment_size == 0 ||
-			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
 		return -EINVAL;

 	/* now codec parameters */