diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2018-12-21 12:06:58 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-03-05 19:58:45 +0300 |
commit | e7b2f9f2bce29fed7c7269d355c94fa6d1d44e99 (patch) | |
tree | 4e033591a89f15a383b914f700b6f891df85af77 /sound/core | |
parent | a4964959ee83e6be9d244af91e0f15a5658ef9de (diff) | |
download | linux-e7b2f9f2bce29fed7c7269d355c94fa6d1d44e99.tar.xz |
ALSA: compress: prevent potential divide by zero bugs
[ Upstream commit 678e2b44c8e3fec3afc7202f1996a4500a50be93 ]
The problem is seen in the q6asm_dai_compr_set_params() function:
ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
(prtd->pcm_size / prtd->periods),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
prtd->periods);
In this code prtd->pcm_size is the buffer_size and prtd->periods comes
from params->buffer.fragments. If we allow the number of fragments to
be zero then it results in a divide by zero bug. One possible fix would
be to use prtd->pcm_count directly instead of using the division to
re-calculate it. But I decided that it doesn't really make sense to
allow zero fragments.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'sound/core')
-rw-r--r-- | sound/core/compress_offload.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 26b5e245b074..8b78ddffa509 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -529,7 +529,8 @@ static int snd_compress_check_input(struct snd_compr_params *params) { /* first let's check the buffer parameter's */ if (params->buffer.fragment_size == 0 || - params->buffer.fragments > INT_MAX / params->buffer.fragment_size) + params->buffer.fragments > INT_MAX / params->buffer.fragment_size || + params->buffer.fragments == 0) return -EINVAL; /* now codec parameters */ |