diff options
| author | Bubble Fang <bubblefang@google.com> | 2023-09-04 07:00:53 +0000 |
|---|---|---|
| committer | Bubble Fang <bubblefang@google.com> | 2023-09-26 06:37:56 +0000 |
| commit | 7265fe49203391b581f151c0cf8cfdd3cccf461d (patch) | |
| tree | b6c87437985ac3f44fad5aef8e70df2eaf3c34e7 | |
| parent | 4584a0a8675cfc03b991ba80d3ccf5af1da7f77f (diff) | |
| download | msm-extra-7265fe49203391b581f151c0cf8cfdd3cccf461d.tar.gz | |
dsp: afe: Add check for sidetone iir config copy size
Avoid OOB access of sidetone iir config array when
iir_num_biquad_stages returned from cal block is > 10
Bug: 295051806
Change-Id: I425472f81a6a9d8916b899308af20da16a868c9d
Signed-off-by: Bubble Fang <bubblefang@google.com>
| -rw-r--r-- | dsp/q6afe.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/dsp/q6afe.c b/dsp/q6afe.c index ec76c65b..9fcf6ba4 100644 --- a/dsp/q6afe.c +++ b/dsp/q6afe.c @@ -8337,6 +8337,14 @@ static int afe_sidetone_iir(u16 tx_port_id) pr_debug("%s: adding 2 to size:%d\n", __func__, size); size = size + 2; } + + if (size > MAX_SIDETONE_IIR_DATA_SIZE) { + pr_err("%s: iir_config size is out of bounds:%d\n", __func__, size); + mutex_unlock(&this_afe.cal_data[cal_index]->lock); + ret = -EINVAL; + goto done; + } + memcpy(&filter_data.iir_config, &st_iir_cal_info->iir_config, size); mutex_unlock(&this_afe.cal_data[cal_index]->lock); |