diff options
author | En-Shuo Hsu <enshuo@chromium.org> | 2021-02-05 13:33:24 +0800 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2021-03-08 09:47:08 +0000 |
commit | e3deafc9fbf6a900fd5622e7849bc885db3ed757 (patch) | |
tree | 2703d0fa420d3da26463edcef243de3832f73707 | |
parent | 4e8cef90572d1f2789aee72c2ed7c24fdabc9d9f (diff) | |
download | adhd-e3deafc9fbf6a900fd5622e7849bc885db3ed757.tar.gz |
cras: Fix a potential overflow caught by fuzzer
level = level * 100 / (num_of_level - 1);
If level > INT_MAX /100 then there will be a potential overflow on
signed int.
There's a level >= num_of_level check before the check so we can
guarantee the final value must <= 100. Thus, adding a cast before
the multiply should be sufficient to solve the issue.
BUG=chromium:1174635
TEST=run unit test
Change-Id: I2095f2ce17a1968390757f824d8952e5e9e87d21
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/2677583
Reviewed-by: Chih-Yang Hsia <paulhsia@chromium.org>
Tested-by: En-Shuo Hsu <enshuo@chromium.org>
Auto-Submit: En-Shuo Hsu <enshuo@chromium.org>
Commit-Queue: En-Shuo Hsu <enshuo@chromium.org>
-rw-r--r-- | cras/src/server/cras_hfp_slc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/cras/src/server/cras_hfp_slc.c b/cras/src/server/cras_hfp_slc.c index d3f9e5fb..28f73edc 100644 --- a/cras/src/server/cras_hfp_slc.c +++ b/cras/src/server/cras_hfp_slc.c @@ -992,7 +992,7 @@ static int vendor_specific_features(struct hfp_slc_handle *handle, if (level < 0 || num_of_level <= 1 || level >= num_of_level) goto error_out; - level = level * 100 / (num_of_level - 1); + level = (int64_t)level * 100 / (num_of_level - 1); if (handle->hf_battery != level) { handle->hf_supports_battery_indicator |= CRAS_HFP_BATTERY_INDICATOR_PLANTRONICS; |