From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Subject: [patch] ALSA: compress: fix an integer overflow check Date: Wed, 16 Jul 2014 09:37:04 +0300 Message-ID: <20140716063704.GA26371@mwanda> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline Sender: kernel-janitors-owner@vger.kernel.org To: Vinod Koul Cc: Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org List-Id: alsa-devel@alsa-project.org I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: Dan Carpenter --- The other option would be to declare buffer_size as size_t instead of an unsigned int. This feels like a safer fix though. diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 7403f34..89028fa 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params) { /* first let's check the buffer parameter's */ if (params->buffer.fragment_size == 0 || - params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) + params->buffer.fragments > INT_MAX / params->buffer.fragment_size) return -EINVAL; /* now codec parameters */ From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Wed, 16 Jul 2014 06:37:04 +0000 Subject: [patch] ALSA: compress: fix an integer overflow check Message-Id: <20140716063704.GA26371@mwanda> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Vinod Koul Cc: Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: Dan Carpenter --- The other option would be to declare buffer_size as size_t instead of an unsigned int. This feels like a safer fix though. diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 7403f34..89028fa 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params) { /* first let's check the buffer parameter's */ if (params->buffer.fragment_size = 0 || - params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) + params->buffer.fragments > INT_MAX / params->buffer.fragment_size) return -EINVAL; /* now codec parameters */