Merge android-msm-pixel-4.19-udc into android-msm-pixel-4.19-udc-qpr1

Bug: 292447561 SBMerger: 558810260 Change-Id: Ic4051261e70024dd46a78cc27ea0745172a59f08 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
author: PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> 2023-09-10 18:11:11 -0700
committer: Pindar Yang <pindaryang@google.com> 2023-09-12 03:58:53 +0000
commit: 4584a0a8675cfc03b991ba80d3ccf5af1da7f77f (patch)
tree: 8c9b0e5a1fd16f0ff8c2791f6acb309c922803dd
parent: 9b74f93bf84fd3a00c21b51b8ca2f6311cc662d3 (diff)
parent: e867414fa42b483659dd56e5d4f0e6d4f1a5bb9d (diff)
download: msm-extra-4584a0a8675cfc03b991ba80d3ccf5af1da7f77f.tar.gz
3 files changed, 43 insertions, 1 deletions
diff --git a/asoc/msm-pcm-host-voice-v2.c b/asoc/msm-pcm-host-voice-v2.c
index 41c3982d..36728eb0 100644
--- a/asoc/msm-pcm-host-voice-v2.c
+++ b/asoc/msm-pcm-host-voice-v2.c
@@ -656,6 +656,11 @@ static void hpcm_copy_playback_data_from_queue(struct dai_data *dai_data,
 				struct hpcm_buf_node, list);
 		list_del(&buf_node->list);
 		*len = buf_node->frame.len;
+		if (*len > HPCM_MAX_VOC_PKT_SIZE) {
+			pr_err("%s: Playback data len %d overflow\n",
+					__func__, *len);
+			return;
+		}
 		memcpy((u8 *)dai_data->vocpcm_ion_buffer.kvaddr,
 		       &buf_node->frame.voc_pkt[0],
 		       buf_node->frame.len);
@@ -683,6 +688,12 @@ static void hpcm_copy_capture_data_to_queue(struct dai_data *dai_data,
 	if (dai_data->substream == NULL)
 		return;
 
+	if (len > HPCM_MAX_VOC_PKT_SIZE) {
+		pr_err("%s: Copy capture data len %d overflow\n",
+			__func__, len);
+		return;
+	}
+
 	/* Copy out buffer packet into free_queue */
 	spin_lock_irqsave(&dai_data->dsp_lock, dsp_flags);
 
diff --git a/asoc/msm-pcm-voip-v2.c b/asoc/msm-pcm-voip-v2.c
index e2ad13b4..76c0bb11 100644
--- a/asoc/msm-pcm-voip-v2.c
+++ b/asoc/msm-pcm-voip-v2.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
-/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/init.h>
@@ -365,6 +366,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt,
 		switch (prtd->mode) {
 		case MODE_AMR_WB:
 		case MODE_AMR: {
+			if (pkt_len <= DSP_FRAME_HDR_LEN) {
+				pr_err("%s: pkt_len %d is < required len\n",
+						__func__, pkt_len);
+				spin_unlock_irqrestore(&prtd->dsp_ul_lock,
+							dsp_flags);
+				return;
+			}
 			/* Remove the DSP frame info header. Header format:
 			 * Bits 0-3: Frame rate
 			 * Bits 4-7: Frame type
@@ -385,6 +393,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt,
 		case MODE_4GV_NB:
 		case MODE_4GV_WB:
 		case MODE_4GV_NW: {
+			if (pkt_len <= DSP_FRAME_HDR_LEN) {
+				pr_err("%s: pkt_len %d is < required len\n",
+						__func__, pkt_len);
+				spin_unlock_irqrestore(&prtd->dsp_ul_lock,
+							dsp_flags);
+				return;
+			}
 			/* Remove the DSP frame info header.
 			 * Header format:
 			 * Bits 0-3: frame rate
@@ -422,6 +437,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt,
 			buf_node->frame.frm_hdr.timestamp = timestamp;
 			voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN;
 
+			if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) {
+				pr_err("%s: pkt_len %d is < required len\n",
+						__func__, pkt_len);
+				spin_unlock_irqrestore(&prtd->dsp_ul_lock,
+							dsp_flags);
+				return;
+			}
 			/* There are two frames in the buffer. Length of the
 			 * first frame:
 			 */
diff --git a/dsp/q6core.c b/dsp/q6core.c
index 093a3db8..dae0a03c 100644
--- a/dsp/q6core.c
+++ b/dsp/q6core.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/kernel.h>
@@ -474,6 +475,12 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
 	case AVCS_CMD_RSP_LOAD_MODULES:
 		pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n",
 			 __func__);
+		if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload)
+			* rsp_payload->num_modules) + sizeof(uint32_t))) {
+			pr_err("%s: payload size not equal to expected size %d\n",
+				__func__,data->payload_size);
+			return -EINVAL;
+		}
 		memcpy(rsp_payload, data->payload, data->payload_size);
 		q6core_lcl.avcs_module_resp_received = 1;
 		wake_up(&q6core_lcl.avcs_module_load_unload_wait);
@@ -998,6 +1005,8 @@ int32_t q6core_avcs_load_unload_modules(struct avcs_load_unload_modules_payload
 		return -ENOMEM;
 	}
 
+	rsp_payload->num_modules = num_modules;
+
 	memcpy((uint8_t *)mod + sizeof(struct apr_hdr) +
 		sizeof(struct avcs_load_unload_modules_meminfo),
 		payload, payload_size);
author	PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com>	2023-09-10 18:11:11 -0700
committer	Pindar Yang <pindaryang@google.com>	2023-09-12 03:58:53 +0000
commit	4584a0a8675cfc03b991ba80d3ccf5af1da7f77f (patch)
tree	8c9b0e5a1fd16f0ff8c2791f6acb309c922803dd
parent	9b74f93bf84fd3a00c21b51b8ca2f6311cc662d3 (diff)
parent	e867414fa42b483659dd56e5d4f0e6d4f1a5bb9d (diff)
download	msm-extra-4584a0a8675cfc03b991ba80d3ccf5af1da7f77f.tar.gz