diff options
author | PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> | 2023-09-10 18:11:11 -0700 |
---|---|---|
committer | Pindar Yang <pindaryang@google.com> | 2023-09-12 03:58:53 +0000 |
commit | 4584a0a8675cfc03b991ba80d3ccf5af1da7f77f (patch) | |
tree | 8c9b0e5a1fd16f0ff8c2791f6acb309c922803dd | |
parent | 9b74f93bf84fd3a00c21b51b8ca2f6311cc662d3 (diff) | |
parent | e867414fa42b483659dd56e5d4f0e6d4f1a5bb9d (diff) | |
download | msm-extra-4584a0a8675cfc03b991ba80d3ccf5af1da7f77f.tar.gz |
Merge android-msm-pixel-4.19-udc into android-msm-pixel-4.19-udc-qpr1
Bug: 292447561
SBMerger: 558810260
Change-Id: Ic4051261e70024dd46a78cc27ea0745172a59f08
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
-rw-r--r-- | asoc/msm-pcm-host-voice-v2.c | 11 | ||||
-rw-r--r-- | asoc/msm-pcm-voip-v2.c | 24 | ||||
-rw-r--r-- | dsp/q6core.c | 9 |
3 files changed, 43 insertions, 1 deletions
diff --git a/asoc/msm-pcm-host-voice-v2.c b/asoc/msm-pcm-host-voice-v2.c index 41c3982d..36728eb0 100644 --- a/asoc/msm-pcm-host-voice-v2.c +++ b/asoc/msm-pcm-host-voice-v2.c @@ -656,6 +656,11 @@ static void hpcm_copy_playback_data_from_queue(struct dai_data *dai_data, struct hpcm_buf_node, list); list_del(&buf_node->list); *len = buf_node->frame.len; + if (*len > HPCM_MAX_VOC_PKT_SIZE) { + pr_err("%s: Playback data len %d overflow\n", + __func__, *len); + return; + } memcpy((u8 *)dai_data->vocpcm_ion_buffer.kvaddr, &buf_node->frame.voc_pkt[0], buf_node->frame.len); @@ -683,6 +688,12 @@ static void hpcm_copy_capture_data_to_queue(struct dai_data *dai_data, if (dai_data->substream == NULL) return; + if (len > HPCM_MAX_VOC_PKT_SIZE) { + pr_err("%s: Copy capture data len %d overflow\n", + __func__, len); + return; + } + /* Copy out buffer packet into free_queue */ spin_lock_irqsave(&dai_data->dsp_lock, dsp_flags); diff --git a/asoc/msm-pcm-voip-v2.c b/asoc/msm-pcm-voip-v2.c index e2ad13b4..76c0bb11 100644 --- a/asoc/msm-pcm-voip-v2.c +++ b/asoc/msm-pcm-voip-v2.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only -/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. */ #include <linux/init.h> @@ -365,6 +366,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, switch (prtd->mode) { case MODE_AMR_WB: case MODE_AMR: { + if (pkt_len <= DSP_FRAME_HDR_LEN) { + pr_err("%s: pkt_len %d is < required len\n", + __func__, pkt_len); + spin_unlock_irqrestore(&prtd->dsp_ul_lock, + dsp_flags); + return; + } /* Remove the DSP frame info header. Header format: * Bits 0-3: Frame rate * Bits 4-7: Frame type @@ -385,6 +393,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, case MODE_4GV_NB: case MODE_4GV_WB: case MODE_4GV_NW: { + if (pkt_len <= DSP_FRAME_HDR_LEN) { + pr_err("%s: pkt_len %d is < required len\n", + __func__, pkt_len); + spin_unlock_irqrestore(&prtd->dsp_ul_lock, + dsp_flags); + return; + } /* Remove the DSP frame info header. * Header format: * Bits 0-3: frame rate @@ -422,6 +437,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, buf_node->frame.frm_hdr.timestamp = timestamp; voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN; + if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) { + pr_err("%s: pkt_len %d is < required len\n", + __func__, pkt_len); + spin_unlock_irqrestore(&prtd->dsp_ul_lock, + dsp_flags); + return; + } /* There are two frames in the buffer. Length of the * first frame: */ diff --git a/dsp/q6core.c b/dsp/q6core.c index 093a3db8..dae0a03c 100644 --- a/dsp/q6core.c +++ b/dsp/q6core.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. */ #include <linux/kernel.h> @@ -474,6 +475,12 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv) case AVCS_CMD_RSP_LOAD_MODULES: pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n", __func__); + if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload) + * rsp_payload->num_modules) + sizeof(uint32_t))) { + pr_err("%s: payload size not equal to expected size %d\n", + __func__,data->payload_size); + return -EINVAL; + } memcpy(rsp_payload, data->payload, data->payload_size); q6core_lcl.avcs_module_resp_received = 1; wake_up(&q6core_lcl.avcs_module_load_unload_wait); @@ -998,6 +1005,8 @@ int32_t q6core_avcs_load_unload_modules(struct avcs_load_unload_modules_payload return -ENOMEM; } + rsp_payload->num_modules = num_modules; + memcpy((uint8_t *)mod + sizeof(struct apr_hdr) + sizeof(struct avcs_load_unload_modules_meminfo), payload, payload_size); |