From patchwork Wed Jul 16 06:37:04 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <dan.carpenter@oracle.com>
X-Patchwork-Id: 4564801
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 09F549F1D6
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 16 Jul 2014 06:37:59 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 16883201BB
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 16 Jul 2014 06:37:58 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id 891E1201B9
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 16 Jul 2014 06:37:55 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 970622652AE; Wed, 16 Jul 2014 08:37:48 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
Received: from alsa0.perex.cz (localhost [IPv6:::1])
	by alsa0.perex.cz (Postfix) with ESMTP id E611526510B;
	Wed, 16 Jul 2014 08:37:39 +0200 (CEST)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 603EA2651C9; Wed, 16 Jul 2014 08:37:38 +0200 (CEST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81])
	by alsa0.perex.cz (Postfix) with ESMTP id 23B3F265099
	for <alsa-devel@alsa-project.org>;
	Wed, 16 Jul 2014 08:37:29 +0200 (CEST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237])
	by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)
	with ESMTP id s6G6bMjb030710
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Wed, 16 Jul 2014 06:37:23 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
	by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	s6G6bHjd006524
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 16 Jul 2014 06:37:18 GMT
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20])
	by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	s6G6bHdS022540; Wed, 16 Jul 2014 06:37:17 GMT
Received: from mwanda (/41.202.233.185)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Tue, 15 Jul 2014 23:37:17 -0700
Date: Wed, 16 Jul 2014 09:37:04 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Vinod Koul <vinod.koul@intel.com>
Message-ID: <20140716063704.GA26371@mwanda>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: Takashi Iwai <tiwai@suse.de>, alsa-devel@alsa-project.org,
	kernel-janitors@vger.kernel.org
Subject: [alsa-devel] [patch] ALSA: compress: fix an integer overflow check
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
The other option would be to declare buffer_size as size_t instead of
an unsigned int.  This feels like a safer fix though.

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 7403f34..89028fa 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
 {
 	/* first let's check the buffer parameter's */
 	if (params->buffer.fragment_size == 0 ||
-			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
 		return -EINVAL;
 
 	/* now codec parameters */