asoc: msm-routing: Fix array out of bounds issue

It seems there is out of bound access chances for lsm_app_type_cfg
array within msm_routing_get_lsm_app_type_cfg_control() callback.
Added case check to return invalid value if user tries to exceed
maximum allocated size of array to avoid it.

Change-Id: Ied86e6c9a957255c55bb126a09741fbde429be32
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>

diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
index 965de5c..ed3ee03 100644 (file)
--- a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
@@ -15269,16 +15269,18 @@ static int msm_routing_put_lsm_app_type_cfg_control(
                                        struct snd_ctl_elem_value *ucontrol)
 {
        int i = 0, j;
-       int num_app_types = ucontrol->value.integer.value[i++];
+       int num_app_types;
 
-       memset(lsm_app_type_cfg, 0, MAX_APP_TYPES*
-                               sizeof(struct msm_pcm_routing_app_type_data));
-       if (num_app_types > MAX_APP_TYPES) {
+       if (ucontrol->value.integer.value[0] > MAX_APP_TYPES) {
                pr_err("%s: number of app types exceed the max supported\n",
                        __func__);
                return -EINVAL;
        }
 
+       num_app_types = ucontrol->value.integer.value[i++];
+       memset(lsm_app_type_cfg, 0, MAX_APP_TYPES*
+               sizeof(struct msm_pcm_routing_app_type_data));
+
        for (j = 0; j < num_app_types; j++) {
                lsm_app_type_cfg[j].app_type =
                                ucontrol->value.integer.value[i++];