ASoC: msm: qdsp6v2: DAP: Add check to validate param length

To avoid buffer overflow, validate input length used to fetch visualizer data. CRs-Fixed: 1033540 Change-Id: I445d1ba3bce47308bc31ae24a70d5ee358f22a2d Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
2024-10-31 18:09:19 +00:00 · 2016-07-01 12:31:21 +05:30 · 2016-07-01 12:31:21 +05:30 · 952e938f8c
commit 952e938f8c
parent ff694c5bf8
2 changed files with 9 additions and 1 deletions
--- a/sound/soc/msm/qdsp6v2/msm-dolby-common.h
+++ b/sound/soc/msm/qdsp6v2/msm-dolby-common.h
@ -1,5 +1,5 @@

-/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2014, 2016 The Linux Foundation. All rights reserved.
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 and
 * only version 2 as published by the Free Software Foundation.
@ -232,6 +232,7 @@

 #define TOTAL_LENGTH_DOLBY_PARAM		745
 #define DOLBY_VIS_PARAM_HEADER_SIZE		25
+#define DOLBY_PARAM_VCNB_MAX_LENGTH		40

 #define DOLBY_INVALID_PORT_ID			-1

--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
@ -1627,6 +1627,13 @@ static int msm_ds2_dap_param_visualizer_control_get(u32 cmd, void *arg)
 	}

 	length = ds2_dap_params[cache_dev].params_val[DOLBY_PARAM_VCNB_OFFSET];
+
+	if (length > DOLBY_PARAM_VCNB_MAX_LENGTH || length <= 0) {
+		ret = 0;
+		dolby_data->length = 0;
+		pr_err("%s Incorrect VCNB length", __func__);
+	}
+
 	params_length = (2*length + DOLBY_VIS_PARAM_HEADER_SIZE) *
 							 sizeof(uint32_t);