diff options
| author |   Soumya Managoli <smanag@codeaurora.org> | 2019-09-06 12:35:58 +0530 |
|---|---|---|
| committer | Soumya Managoli <smanag@codeaurora.org> | 2019-09-06 13:13:43 +0530 |
| commit | 551f9915f5890b28ca3a7b6ba74ea9ed3b0be175 (patch) | |
| tree | 354b38a39f90f70aa46b41918fbb5a90aa1eeac7 | |
| parent | 33005fb123827c8960fb903f7327c127cc3968b9 (diff) | |
dsp: adm: Fix to avoid memory overread in adm callback
For ADM_CMDRSP_GET_PP_PARAMS_V5 cmd response,
the check for data payload_size is incorrect.
Modify the check condition to make sure there
is enough data to copy, size is contained in
payload[3].
Change-Id: I2f155ad8b302e89131ee85cfc72e4009dda617d3
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
| -rw-r--r-- | dsp/q6adm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/dsp/q6adm.c b/dsp/q6adm.c index 8d8a473..736d2be 100644 --- a/dsp/q6adm.c +++ b/dsp/q6adm.c @@ -1762,7 +1762,8 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) idx = ADM_GET_PARAMETER_LENGTH * copp_idx; if ((payload[0] == 0) && (data->payload_size > (4 * sizeof(*payload))) && - (data->payload_size - 4 >= + (data->payload_size - + (4 * sizeof(*payload)) >= payload[3]) && (ARRAY_SIZE(adm_get_parameters) > idx) && |