From: Takashi Iwai <tiwai@suse.de>
To: moonafterrain@outlook.com
Cc: Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Yuhao Jiang <danisjiang@gmail.com>
Subject: Re: [PATCH] ALSA: wavefront: Fix integer overflow in sample size validation
Date: Wed, 05 Nov 2025 09:32:43 +0100 [thread overview]
Message-ID: <87seeshob8.wl-tiwai@suse.de> (raw)
In-Reply-To: <SYBPR01MB7881FA5CEECF0CCEABDD6CC4AFC4A@SYBPR01MB7881.ausprd01.prod.outlook.com>
On Tue, 04 Nov 2025 15:10:18 +0100,
moonafterrain@outlook.com wrote:
>
> From: Junrui Luo <moonafterrain@outlook.com>
>
> The wavefront_send_sample() function has an integer overflow issue
> when validating sample size. The header->size field is u32 but gets
> cast to int for comparison with dev->freemem
>
> Fix by using unsigned comparison to avoid integer overflow.
This is not really a right fix, unfortunately.
wavefront_freemem() itself can return a negative value, and the cast
would ignore it.
A better alternative could be something like:
if (dev->freemem < 0 || dev->freemem < header->size) {
so that the cast can be dropped to be compared as unsigned
implicitly.
Not sure whether this still triggers some warnings in the recent
compilers, though. Need testing.
thanks,
Takashi
>
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Reported-by: Junrui Luo <moonafterrain@outlook.com>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
> sound/isa/wavefront/wavefront_synth.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
> index cd5c177943aa..4a8c507eae71 100644
> --- a/sound/isa/wavefront/wavefront_synth.c
> +++ b/sound/isa/wavefront/wavefront_synth.c
> @@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *dev,
> if (header->size) {
> dev->freemem = wavefront_freemem (dev);
>
> - if (dev->freemem < (int)header->size) {
> + if ((unsigned int)dev->freemem < header->size) {
> dev_err(dev->card->dev,
> - "insufficient memory to load %d byte sample.\n",
> + "insufficient memory to load %u byte sample.\n",
> header->size);
> return -ENOMEM;
> }
> --
> 2.51.1.dirty
>
prev parent reply other threads:[~2025-11-05 8:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 14:10 [PATCH] ALSA: wavefront: Fix integer overflow in sample size validation moonafterrain
2025-11-05 8:32 ` Takashi Iwai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87seeshob8.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=danisjiang@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=moonafterrain@outlook.com \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.