| Message ID | 20140716063704.GA26371@mwanda (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 |
| Headers | show |
At Wed, 16 Jul 2014 09:37:04 +0300, Dan Carpenter wrote: > > I previously added an integer overflow check here but looking at it now, > it's still buggy. > > The bug happens in snd_compr_allocate_buffer(). We multiply > ".fragments" and ".fragment_size" and that doesn't overflow but then we > save it in an unsigned int so it truncates the high bits away and we > allocate a smaller than expected size. > > Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > The other option would be to declare buffer_size as size_t instead of > an unsigned int. This feels like a safer fix though. Agreed, I took the patch now as is. Thanks. Takashi > > diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c > index 7403f34..89028fa 100644 > --- a/sound/core/compress_offload.c > +++ b/sound/core/compress_offload.c > @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params) > { > /* first let's check the buffer parameter's */ > if (params->buffer.fragment_size == 0 || > - params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) > + params->buffer.fragments > INT_MAX / params->buffer.fragment_size) > return -EINVAL; > > /* now codec parameters */ >
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 7403f34..89028fa 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params) { /* first let's check the buffer parameter's */ if (params->buffer.fragment_size == 0 || - params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) + params->buffer.fragments > INT_MAX / params->buffer.fragment_size) return -EINVAL; /* now codec parameters */
I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- The other option would be to declare buffer_size as size_t instead of an unsigned int. This feels like a safer fix though.