[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 1/8] es1370: check total frame count against current frame
From: |
Gerd Hoffmann |
Subject: |
[PULL 1/8] es1370: check total frame count against current frame |
Date: |
Tue, 26 May 2020 09:56:32 +0200 |
From: Prasad J Pandit <address@hidden>
A guest user may set channel frame count via es1370_write()
such that, in es1370_transfer_audio(), total frame count
'size' is lesser than the number of frames that are processed
'cnt'.
int cnt = d->frame_cnt >> 16;
int size = d->frame_cnt & 0xffff;
if (size < cnt), it results in incorrect calculations leading
to OOB access issue(s). Add check to avoid it.
Reported-by: Ren Ding <address@hidden>
Reported-by: Hanqing Zhao <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/audio/es1370.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
index 89c4dabcd44f..5f8a83ff5624 100644
--- a/hw/audio/es1370.c
+++ b/hw/audio/es1370.c
@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct
chan *d, int loop_sel,
int csc_bytes = (csc + 1) << d->shift;
int cnt = d->frame_cnt >> 16;
int size = d->frame_cnt & 0xffff;
+ if (size < cnt) {
+ return;
+ }
int left = ((size - cnt + 1) << 2) + d->leftover;
int transferred = 0;
int temp = MIN (max, MIN (left, csc_bytes));
@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct
chan *d, int loop_sel,
addr += (cnt << 2) + d->leftover;
if (index == ADC_CHANNEL) {
- while (temp) {
+ while (temp > 0) {
int acquired, to_copy;
to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct
chan *d, int loop_sel,
else {
SWVoiceOut *voice = s->dac_voice[index];
- while (temp) {
+ while (temp > 0) {
int copied, to_copy;
to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
--
2.18.4
- [PULL 0/8] Audio 20200526 patches, Gerd Hoffmann, 2020/05/26
- [PULL 5/8] audio: fix wavcapture segfault, Gerd Hoffmann, 2020/05/26
- [PULL 2/8] hw/audio/gus: Use AUDIO_HOST_ENDIANNESS definition from 'audio/audio.h', Gerd Hoffmann, 2020/05/26
- [PULL 1/8] es1370: check total frame count against current frame,
Gerd Hoffmann <=
- [PULL 7/8] audio: Let capture_callback handler use const buffer argument, Gerd Hoffmann, 2020/05/26
- [PULL 4/8] audio/mixeng: fix clang 10+ warning, Gerd Hoffmann, 2020/05/26
- [PULL 6/8] audio: Let audio_sample_to_uint64() use const samples argument, Gerd Hoffmann, 2020/05/26
- [PULL 8/8] hw/mips/mips_fulong2e: Remove unused 'audio/audio.h' include, Gerd Hoffmann, 2020/05/26
- [PULL 3/8] audio/jack: add JACK client audiodev, Gerd Hoffmann, 2020/05/26
- Re: [PULL 0/8] Audio 20200526 patches, Peter Maydell, 2020/05/26
- Re: [PULL 0/8] Audio 20200526 patches, Markus Armbruster, 2020/05/27