ASoC: msm: qdsp6v2: Add range checking in msm_dai_q6_set_channel_map

Range checking is added to prevent buffer overflow that due to inputs
can be set by user space.

CRs-Fixed: 1098363
CAF-Change-Id: I057261291806240ee6d7b8106a5e83a7665e013d
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>

CVE-2017-0608

Change-Id: I41aee14edf5a7dd257aae78132047048b82b127e
(cherry picked from commit b66f442dd97c781e873e8f7b248e197f86fd2980)

sound/soc/msm/msm-dai-q6.c

@@ -1412,6 +1412,10 @@ static int msm_dai_q6_set_channel_map(struct snd_soc_dai *dai,
 		 */
 		if (!rx_slot)
 			return -EINVAL;
+		if (rx_num > AFE_PORT_MAX_AUDIO_CHAN_CNT) {
+			pr_err("%s: invalid rx num %d\n", __func__, rx_num);
+			return -EINVAL;
+		}
 		for (i = 0; i < rx_num; i++) {
 			dai_data->port_config.slim_sch.slave_ch_mapping[i] =
 							rx_slot[i];
@@ -1438,6 +1442,10 @@ static int msm_dai_q6_set_channel_map(struct snd_soc_dai *dai,
 		 */
 		if (!tx_slot)
 			return -EINVAL;
+		if (tx_num > AFE_PORT_MAX_AUDIO_CHAN_CNT) {
+			pr_err("%s: invalid tx num %d\n", __func__, tx_num);
+			return -EINVAL;
+		}
 		for (i = 0; i < tx_num; i++) {
 			dai_data->port_config.slim_sch.slave_ch_mapping[i] =
 							tx_slot[i];

sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c

@@ -708,6 +708,10 @@ static int msm_dai_q6_set_channel_map(struct snd_soc_dai *dai,
 		 */
 		if (!rx_slot)
 			return -EINVAL;
+		if (rx_num > AFE_PORT_MAX_AUDIO_CHAN_CNT) {
+			pr_err("%s: invalid rx num %d\n", __func__, rx_num);
+			return -EINVAL;
+		}
 		for (i = 0; i < rx_num; i++) {
 			dai_data->port_config.slim_sch.shared_ch_mapping[i] =
 			    rx_slot[i];
@@ -730,6 +734,10 @@ static int msm_dai_q6_set_channel_map(struct snd_soc_dai *dai,
 		 */
 		if (!tx_slot)
 			return -EINVAL;
+		if (tx_num > AFE_PORT_MAX_AUDIO_CHAN_CNT) {
+			pr_err("%s: invalid tx num %d\n", __func__, tx_num);
+			return -EINVAL;
+		}
 		for (i = 0; i < tx_num; i++) {
 			dai_data->port_config.slim_sch.shared_ch_mapping[i] =
 			    tx_slot[i];