summaryrefslogtreecommitdiff
path: root/sound
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2014-07-16 09:37:04 +0300
committerTakashi Iwai <tiwai@suse.de>2014-07-16 15:27:03 +0200
commit6217e5ede23285ddfee10d2e4ba0cc2d4c046205 (patch)
tree568d58db520a580ce8070d55d695ec854d8d9bea /sound
parent892028acf020e5f9f8e8894b404400b360f5fe4f (diff)
downloadlwn-6217e5ede23285ddfee10d2e4ba0cc2d4c046205.tar.gz
lwn-6217e5ede23285ddfee10d2e4ba0cc2d4c046205.zip
ALSA: compress: fix an integer overflow check
I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
-rw-r--r--sound/core/compress_offload.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 7403f348ed14..89028fab64fd 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
{
/* first let's check the buffer parameter's */
if (params->buffer.fragment_size == 0 ||
- params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+ params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
return -EINVAL;
/* now codec parameters */