diff options
author | SecurityBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> | 2020-01-10 14:09:32 -0800 |
---|---|---|
committer | SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> | 2020-01-10 14:09:32 -0800 |
commit | cbb662dff036622117cdc2b5c5646817e2287c83 (patch) | |
tree | 8908e0a1b4a9698b633c1c73157e5aecdc10e41d | |
parent | bbe9ce900bc6923741e260f8b96089b928960fc7 (diff) | |
parent | 966bda4849e5453b44e69341217ee0706dafa27d (diff) | |
download | msm-extra-android-msm-bonito-4.9-r-preview-1.tar.gz |
Merge android-msm-pixel-4.9-qt-qpr2 into android-msm-pixel-4.9android-r-preview-1_r0.5android-r-preview-1_r0.3android-msm-crosshatch-4.9-r-preview-1android-msm-bonito-4.9-r-preview-1
SBMerger: 284775313
Change-Id: Ib439ddc441ceda3328934bc71e4e898be9dbcf2f
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
-rw-r--r-- | asoc/msm-cirrus-playback.c | 17 | ||||
-rw-r--r-- | asoc/msm-pcm-routing-v2.c | 11 | ||||
-rw-r--r-- | dsp/q6adm.c | 12 | ||||
-rw-r--r-- | dsp/q6voice.c | 2 |
4 files changed, 30 insertions, 12 deletions
diff --git a/asoc/msm-cirrus-playback.c b/asoc/msm-cirrus-playback.c index 697b26f4..f1b2dd55 100644 --- a/asoc/msm-cirrus-playback.c +++ b/asoc/msm-cirrus-playback.c @@ -42,6 +42,7 @@ static struct crus_single_data_t crus_enable; static struct crus_sp_ioctl_header crus_sp_hdr; static struct cirrus_cal_result_t crus_sp_cal_rslt; static int32_t *crus_sp_get_buffer; +static int32_t crus_sp_get_buffer_size; static atomic_t crus_sp_get_param_flag; struct mutex crus_sp_get_param_lock; struct mutex crus_sp_lock; @@ -200,8 +201,8 @@ static int crus_afe_get_param(int port, int module, int param, int length, mutex_lock(&crus_sp_get_param_lock); atomic_set(&crus_sp_get_param_flag, 0); - crus_sp_get_buffer = kzalloc(config->param.payload_size + 16, - GFP_KERNEL); + crus_sp_get_buffer_size = config->param.payload_size + 16; + crus_sp_get_buffer = kzalloc(crus_sp_get_buffer_size, GFP_KERNEL); if (!crus_sp_get_buffer) { pr_err("%s: kzalloc failed for crus_sp_get_buffer!\n", @@ -235,6 +236,7 @@ static int crus_afe_get_param(int port, int module, int param, int length, crus_sp_get_param_err: kfree(crus_sp_get_buffer); crus_sp_get_buffer = NULL; + crus_sp_get_buffer_size = -1; crus_sp_get_buffer_err: mutex_unlock(&crus_sp_get_param_lock); @@ -443,13 +445,22 @@ static int crus_afe_send_delta(const char *data, uint32_t length) extern int crus_afe_callback(void *payload, int size) { uint32_t *payload32 = payload; + int copysize; pr_debug("Cirrus AFE CALLBACK: size = %d\n", size); + if (size < 8) + return -EINVAL; switch (payload32[1]) { case CIRRUS_SP: if (crus_sp_get_buffer != NULL) { - memcpy(crus_sp_get_buffer, payload32, size); + copysize = (crus_sp_get_buffer_size > size) ? + size : crus_sp_get_buffer_size; + + if (copysize != size) + pr_warn("size mismatch data may lost\n"); + + memcpy(crus_sp_get_buffer, payload32, copysize); atomic_set(&crus_sp_get_param_flag, 1); } break; diff --git a/asoc/msm-pcm-routing-v2.c b/asoc/msm-pcm-routing-v2.c index 153199f8..5be547ad 100644 --- a/asoc/msm-pcm-routing-v2.c +++ b/asoc/msm-pcm-routing-v2.c @@ -12147,15 +12147,18 @@ static int msm_routing_put_lsm_app_type_cfg_control( struct snd_ctl_elem_value *ucontrol) { int i = 0, j; - int num_app_types = ucontrol->value.integer.value[i++]; + int num_app_types; - memset(lsm_app_type_cfg, 0, MAX_APP_TYPES* - sizeof(struct msm_pcm_routing_app_type_data)); - if (num_app_types > MAX_APP_TYPES) { + if (ucontrol->value.integer.value[0] > MAX_APP_TYPES) { pr_err("%s: number of app types exceed the max supported\n", __func__); return -EINVAL; } + + num_app_types = ucontrol->value.integer.value[i++]; + memset(lsm_app_type_cfg, 0, MAX_APP_TYPES* + sizeof(struct msm_pcm_routing_app_type_data)); + for (j = 0; j < num_app_types; j++) { lsm_app_type_cfg[j].app_type = ucontrol->value.integer.value[i++]; diff --git a/dsp/q6adm.c b/dsp/q6adm.c index 4d4b1bff..239f79fb 100644 --- a/dsp/q6adm.c +++ b/dsp/q6adm.c @@ -1558,7 +1558,8 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) idx = ADM_GET_PARAMETER_LENGTH * copp_idx; if ((payload[0] == 0) && (data->payload_size > (4 * sizeof(*payload))) && - (data->payload_size - 4 >= + (data->payload_size - + (4 * sizeof(*payload)) >= payload[3]) && (ARRAY_SIZE(adm_get_parameters) > idx) && @@ -1597,9 +1598,12 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) pr_err("%s: ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST", __func__); pr_err(":err = 0x%x\n", payload[0]); - } else if (payload[1] > - ((ADM_GET_TOPO_MODULE_LIST_LENGTH / - sizeof(uint32_t)) - 1)) { + } else if ((payload[1] > + ((ADM_GET_TOPO_MODULE_LIST_LENGTH / + sizeof(uint32_t)) - 1)) || + ((data->payload_size - + (2 * sizeof(uint32_t))) < + (payload[1] * sizeof(uint32_t)))) { pr_err("%s: ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST", __func__); pr_err(":size = %d\n", payload[1]); diff --git a/dsp/q6voice.c b/dsp/q6voice.c index ef6e23b5..1d5c5a75 100644 --- a/dsp/q6voice.c +++ b/dsp/q6voice.c @@ -7663,7 +7663,7 @@ static int32_t qdsp_cvp_callback(struct apr_client_data *data, void *priv) } if (data->opcode == APR_BASIC_RSP_RESULT) { - if (data->payload_size) { + if (data->payload_size >= (2 * sizeof(uint32_t))) { ptr = data->payload; pr_debug("%x %x\n", ptr[0], ptr[1]); |