[PATCH 4/4] ALSA: compress: prevent potential divide by zero bugs

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Patrick Lai <plai@codeaurora.org>,
	Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: alsa-devel@alsa-project.org,
	Banajit Goswami <bgoswami@codeaurora.org>,
	kernel-janitors@vger.kernel.org, Takashi Iwai <tiwai@suse.com>,
	Liam Girdwood <lgirdwood@gmail.com>,
	Vinod Koul <vkoul@kernel.org>, Mark Brown <broonie@kernel.org>
Subject: [PATCH 4/4] ALSA: compress: prevent potential divide by zero bugs
Date: Fri, 21 Dec 2018 09:06:58 +0000	[thread overview]
Message-ID: <20181221090658.GD2735@kadam> (raw)
In-Reply-To: <20181221090442.GA2735@kadam>

The problem is seen in the q6asm_dai_compr_set_params() function:

	ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
				       (prtd->pcm_size / prtd->periods),
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
				       prtd->periods);

In this code prtd->pcm_size is the buffer_size and prtd->periods comes
from params->buffer.fragments.  If we allow the number of fragments to
be zero then it results in a divide by zero bug.  One possible fix would
be to use prtd->pcm_count directly instead of using the division to
re-calculate it.  But I decided that it doesn't really make sense to
allow zero fragments.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I am not very sure of this patch.  Please review it extra carefully
because it is an API change.

 sound/core/compress_offload.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index a5b09e75e787..f7d2b373da0a 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -541,7 +541,8 @@ static int snd_compress_check_input(struct snd_compr_params *params)
 {
 	/* first let's check the buffer parameter's */
 	if (params->buffer.fragment_size = 0 ||
-	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size ||
+	    params->buffer.fragments = 0)
 		return -EINVAL;
 
 	/* now codec parameters */
-- 
2.17.1

next prev parent reply	other threads:[~2018-12-21  9:06 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-21  9:04 [PATCH 1/2] ASoC: qdsp6: q6asm-dai: Off by one in of_q6asm_parse_dai_data() Dan Carpenter
2018-12-21  9:05 ` [PATCH 2/2] ASoC: qdsp6: q6asm-dai: Fix a NULL vs IS_ERR() bug Dan Carpenter
2018-12-21 12:29   ` Srinivas Kandagatla
2018-12-21 13:42   ` Applied "ASoC: qdsp6: q6asm-dai: Fix a NULL vs IS_ERR() bug" to the asoc tree Mark Brown
2018-12-21  9:06 ` [PATCH 3/4] ASoC: qdsp6: q6asm-dai: Fix a small memory leak Dan Carpenter
2018-12-21 12:29   ` [alsa-devel] " Srinivas Kandagatla
2018-12-21 13:42   ` Applied "ASoC: qdsp6: q6asm-dai: Fix a small memory leak" to the asoc tree Mark Brown
2018-12-21  9:06 ` Dan Carpenter [this message]
2018-12-21 13:42   ` Applied "ALSA: compress: prevent potential divide by zero bugs" " Mark Brown
2018-12-21 12:31 ` [PATCH 1/2] ASoC: qdsp6: q6asm-dai: Off by one in of_q6asm_parse_dai_data() Srinivas Kandagatla
2018-12-21 13:42 ` Applied "ASoC: qdsp6: q6asm-dai: Off by one in of_q6asm_parse_dai_data()" to the asoc tree Mark Brown

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a5b09e75e78 dfblob:f7d2b373da0 )
 OR (
bs:"[PATCH 4/4] ALSA: compress: prevent potential divide by zero bugs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181221090658.GD2735@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=alsa-devel@alsa-project.org \
    --cc=bgoswami@codeaurora.org \
    --cc=broonie@kernel.org \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=lgirdwood@gmail.com \
    --cc=plai@codeaurora.org \
    --cc=srinivas.kandagatla@linaro.org \
    --cc=tiwai@suse.com \
    --cc=vkoul@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox