Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-11-01 02:21:16 +00:00
Code Issues Projects Releases Wiki Activity

ASoC: msm: audio-effects: misc fixes in h/w accelerated effect

Browse source 
Adding memory copy size check and integer overflow check in h/w
accelerated effect driver.

Change-Id: I17d4cc0a38770f0c5067fa8047cd63e7bf085e48
CRs-Fixed: 1006609
Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
This commit is contained in:
Weiyin Jiang 2016-04-26 14:35:38 +08:00 committed by Gerrit - the friendly Code Review server
parent dbd9acb73a
commit 68f1526ec9
2 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
View file

@ -164,7 +164,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
pr_debug("%s: dec buf size: %d, num_buf: %d, enc buf size: %d, num_buf: %d\n",
__func__, effects->config.output.buf_size,
effects->config.output.buf_size,
effects->config.output.num_buf,
effects->config.input.buf_size,
effects->config.input.num_buf);
rc = q6asm_audio_client_buf_alloc_contiguous(IN, effects->ac,
@ -252,7 +252,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
bufptr = q6asm_is_cpu_buf_avail(IN, effects->ac, &size, &idx);
if (bufptr) {
if (copy_from_user(bufptr, (void *)arg,
if ((effects->config.buf_cfg.output_len > size) ||
copy_from_user(bufptr, (void *)arg,
effects->config.buf_cfg.output_len)) {
rc = -EFAULT;
goto ioctl_fail;
@ -308,7 +309,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
rc = -EFAULT;
goto ioctl_fail;
}
if (copy_to_user((void *)arg, bufptr,
if ((effects->config.buf_cfg.input_len > size) ||
copy_to_user((void *)arg, bufptr,
effects->config.buf_cfg.input_len)) {
rc = -EFAULT;
goto ioctl_fail;

8
sound/soc/msm/qdsp6v2/q6asm.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
* Author: Brian Swetland <swetland@google.com>
*
* This software is licensed under the terms of the GNU General Public
@ -1212,6 +1212,12 @@ int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir,
ac->port[dir].buf = buf;
/* check for integer overflow */
if ((bufcnt > 0) && ((INT_MAX / bufcnt) < bufsz)) {
pr_err("%s: integer overflow\n", __func__);
mutex_unlock(&ac->cmd_lock);
goto fail;
}
bytes_to_alloc = bufsz * bufcnt;
/* The size to allocate should be multiple of 4K bytes */