From 0714ffdfcbb548a16e7e814faa7af59767c45d5f Mon Sep 17 00:00:00 2001
From: Vatsal Bucha <vbucha@codeaurora.org>
Date: Tue, 5 Mar 2019 15:52:15 +0530
Subject: [PATCH] dsp: q6voice: Check size of shared memory buffer before
 access

Check buffer size in qdsp_cvs_callback before access in
ul_pkt.

Change-Id: Ic19994b46086709231656ec747d2df988b7a512f
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
---
 dsp/q6voice.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/dsp/q6voice.c b/dsp/q6voice.c
index bb2bbdfa29..e1d465edeb 100644
--- a/dsp/q6voice.c
+++ b/dsp/q6voice.c
@@ -7740,6 +7740,11 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
 
 		cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data;
 		if (cvs_voc_pkt != NULL &&  common.mvs_info.ul_cb != NULL) {
+			if (v->shmem_info.sh_buf.buf[1].size <
+			    ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) {
+				pr_err("%s: invalid voc pkt size\n", __func__);
+				return -EINVAL;
+			}
 			/* cvs_voc_pkt[0] contains tx timestamp */
 			common.mvs_info.ul_cb((uint8_t *)&cvs_voc_pkt[3],
 					      cvs_voc_pkt[2],