From: Takashi Iwai <tiwai@suse.de>
To: moonafterrain@outlook.com
Cc: Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Yuhao Jiang <danisjiang@gmail.com>
Subject: Re: [PATCH] ALSA: wavefront: Fix integer overflow in sample size validation
Date: Wed, 05 Nov 2025 09:32:43 +0100 [thread overview]
Message-ID: <87seeshob8.wl-tiwai@suse.de> (raw)
In-Reply-To: <SYBPR01MB7881FA5CEECF0CCEABDD6CC4AFC4A@SYBPR01MB7881.ausprd01.prod.outlook.com>
On Tue, 04 Nov 2025 15:10:18 +0100,
moonafterrain@outlook.com wrote:
>
> From: Junrui Luo <moonafterrain@outlook.com>
>
> The wavefront_send_sample() function has an integer overflow issue
> when validating sample size. The header->size field is u32 but gets
> cast to int for comparison with dev->freemem
>
> Fix by using unsigned comparison to avoid integer overflow.
This is not really a right fix, unfortunately.
wavefront_freemem() itself can return a negative value, and the cast
would ignore it.
A better alternative could be something like:
if (dev->freemem < 0 || dev->freemem < header->size) {
so that the cast can be dropped to be compared as unsigned
implicitly.
Not sure whether this still triggers some warnings in the recent
compilers, though. Need testing.
thanks,
Takashi
>
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Reported-by: Junrui Luo <moonafterrain@outlook.com>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
> sound/isa/wavefront/wavefront_synth.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
> index cd5c177943aa..4a8c507eae71 100644
> --- a/sound/isa/wavefront/wavefront_synth.c
> +++ b/sound/isa/wavefront/wavefront_synth.c
> @@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *dev,
> if (header->size) {
> dev->freemem = wavefront_freemem (dev);
>
> - if (dev->freemem < (int)header->size) {
> + if ((unsigned int)dev->freemem < header->size) {
> dev_err(dev->card->dev,
> - "insufficient memory to load %d byte sample.\n",
> + "insufficient memory to load %u byte sample.\n",
> header->size);
> return -ENOMEM;
> }
> --
> 2.51.1.dirty
>
prev parent reply other threads:[~2025-11-05 8:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 14:10 [PATCH] ALSA: wavefront: Fix integer overflow in sample size validation moonafterrain
2025-11-05 8:32 ` Takashi Iwai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87seeshob8.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=danisjiang@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=moonafterrain@outlook.com \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox