From: Vatsal Bucha <vbucha@codeaurora.org>
Date: Tue, 5 Mar 2019 10:30:21 +0000 (+0530)
Subject: dsp: q6voice: Check size of shared memory buffer before access
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=db3b23f94285456b856e6dfd84d13133760419f4;p=sagit-ice-cold%2Fkernel_xiaomi_msm8998.git

dsp: q6voice: Check size of shared memory buffer before access

Check buffer size in qdsp_cvs_callback before access in
ul_pkt.

Change-Id: Ic19994b46086709231656ec747d2df988b7a512f
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
---

diff --git a/sound/soc/msm/qdsp6v2/q6voice.c b/sound/soc/msm/qdsp6v2/q6voice.c
index 69189140c936..3193dd0de140 100644
--- a/sound/soc/msm/qdsp6v2/q6voice.c
+++ b/sound/soc/msm/qdsp6v2/q6voice.c
@@ -6782,6 +6782,11 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
 
 		cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data;
 		if (cvs_voc_pkt != NULL &&  common.mvs_info.ul_cb != NULL) {
+			if (v->shmem_info.sh_buf.buf[1].size <
+			    ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) {
+				pr_err("%s: invalid voc pkt size\n", __func__);
+				return -EINVAL;
+			}
 			/* cvs_voc_pkt[0] contains tx timestamp */
 			common.mvs_info.ul_cb((uint8_t *)&cvs_voc_pkt[3],
 					      cvs_voc_pkt[2],