summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSoumya Managoli <smanag@codeaurora.org>2019-09-06 12:35:58 +0530
committerSoumya Managoli <smanag@codeaurora.org>2019-09-06 13:13:43 +0530
commit551f9915f5890b28ca3a7b6ba74ea9ed3b0be175 (patch)
tree354b38a39f90f70aa46b41918fbb5a90aa1eeac7
parent33005fb123827c8960fb903f7327c127cc3968b9 (diff)
dsp: adm: Fix to avoid memory overread in adm callback
For ADM_CMDRSP_GET_PP_PARAMS_V5 cmd response, the check for data payload_size is incorrect. Modify the check condition to make sure there is enough data to copy, size is contained in payload[3]. Change-Id: I2f155ad8b302e89131ee85cfc72e4009dda617d3 Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
-rw-r--r--dsp/q6adm.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/dsp/q6adm.c b/dsp/q6adm.c
index 8d8a473..736d2be 100644
--- a/dsp/q6adm.c
+++ b/dsp/q6adm.c
@@ -1762,7 +1762,8 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
idx = ADM_GET_PARAMETER_LENGTH * copp_idx;
if ((payload[0] == 0) && (data->payload_size >
(4 * sizeof(*payload))) &&
- (data->payload_size - 4 >=
+ (data->payload_size -
+ (4 * sizeof(*payload)) >=
payload[3]) &&
(ARRAY_SIZE(adm_get_parameters) >
idx) &&