|
|
@@ -1189,7 +1189,9 @@ int q6asm_send_stream_cmd(struct audio_client *ac,
|
|
|
{
|
|
|
char *asm_params = NULL;
|
|
|
struct apr_hdr hdr;
|
|
|
- int sz, rc;
|
|
|
+ int rc;
|
|
|
+ uint32_t sz = 0;
|
|
|
+ uint64_t actual_sz = 0;
|
|
|
|
|
|
if (!data || !ac) {
|
|
|
pr_err("%s: %s is NULL\n", __func__,
|
|
|
@@ -1206,7 +1208,15 @@ int q6asm_send_stream_cmd(struct audio_client *ac,
|
|
|
goto done;
|
|
|
}
|
|
|
|
|
|
- sz = sizeof(struct apr_hdr) + data->payload_len;
|
|
|
+ actual_sz = sizeof(struct apr_hdr) + data->payload_len;
|
|
|
+ if (actual_sz > U32_MAX) {
|
|
|
+ pr_err("%s: payload size 0x%X exceeds limit\n",
|
|
|
+ __func__, data->payload_len);
|
|
|
+ rc = -EINVAL;
|
|
|
+ goto done;
|
|
|
+ }
|
|
|
+
|
|
|
+ sz = (uint32_t)actual_sz;
|
|
|
asm_params = kzalloc(sz, GFP_KERNEL);
|
|
|
if (!asm_params) {
|
|
|
rc = -ENOMEM;
|
Mangesh Kunchamwar