From f9264923b826905e6152720f1db9cb7113a5468e Mon Sep 17 00:00:00 2001
From: Ajay Dudani <adudani@codeaurora.org>
Date: Tue, 2 Sep 2014 11:56:26 -0700
Subject: [PATCH] ASoC: msm: Add Buffer overflow check

The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.

Change-Id: Ia0c785b8c895c317e9f904bc738df5217b837191
CRs-Fixed: 563086
Signed-off-by: Asish Bhattacharya <asishb@codeaurora.org>
Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
---
 drivers/misc/qcom/qdsp6v2/audio_utils.c | 11 +++++++++++
 sound/soc/msm/qdsp6v2/q6asm.c           |  4 +++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c
index 767579456176..f39cfb7de83e 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_utils.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c
@@ -23,6 +23,12 @@
 #include <asm/ioctls.h>
 #include "audio_utils.h"
 
+#define MIN_FRAME_SIZE  1536
+#define NUM_FRAMES	5
+#define META_SIZE	(sizeof(struct meta_out_dsp))
+#define FRAME_SIZE	(1 + ((MIN_FRAME_SIZE + META_SIZE) * NUM_FRAMES))
+
+
 static int audio_in_pause(struct q6audio_in  *audio)
 {
 	int rc;
@@ -258,6 +264,11 @@ long audio_in_ioctl(struct file *file,
 			rc = -EINVAL;
 			break;
 		}
+		if ((cfg.buffer_size > FRAME_SIZE) ||
+			(cfg.buffer_count != FRAME_NUM)) {
+			rc = -EINVAL;
+			break;
+		}
 		audio->str_cfg.buffer_size = cfg.buffer_size;
 		audio->str_cfg.buffer_count = cfg.buffer_count;
 		if (audio->opened) {
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
index 26b96589e409..194ec99dbdfc 100644
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@@ -44,7 +44,7 @@
 
 #define TRUE        0x01
 #define FALSE       0x00
-
+#define FRAME_NUM   (8)
 /* TODO, combine them together */
 static DEFINE_MUTEX(session_lock);
 struct asm_mmap {
@@ -940,6 +940,8 @@ int q6asm_audio_client_buf_alloc(unsigned int dir,
 			pr_debug("%s: buffer already allocated\n", __func__);
 			return 0;
 		}
+		if (bufcnt != FRAME_NUM)
+			goto fail;
 		mutex_lock(&ac->cmd_lock);
 		buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt),
 				GFP_KERNEL);
-- 
GitLab