commit e3deafc9fbf6a900fd5622e7849bc885db3ed757
author En-Shuo Hsu <enshuo@chromium.org> Fri Feb 05 13:33:24 2021 +0800
committer Commit Bot <commit-bot@chromium.org> Mon Mar 08 09:47:08 2021 +0000
tree 2703d0fa420d3da26463edcef243de3832f73707
parent 4e8cef90572d1f2789aee72c2ed7c24fdabc9d9f

cras: Fix a potential overflow caught by fuzzer

level = level * 100 / (num_of_level - 1);
If level > INT_MAX /100 then there will be a potential overflow on
signed int.

There's a level >= num_of_level check before the check so we can
guarantee the final value must <= 100. Thus, adding a cast before
the multiply should be sufficient to solve the issue.

BUG=chromium:1174635
TEST=run unit test

Change-Id: I2095f2ce17a1968390757f824d8952e5e9e87d21
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/2677583
Reviewed-by: Chih-Yang Hsia <paulhsia@chromium.org>
Tested-by: En-Shuo Hsu <enshuo@chromium.org>
Auto-Submit: En-Shuo Hsu <enshuo@chromium.org>
Commit-Queue: En-Shuo Hsu <enshuo@chromium.org>

cras/src/server/cras_hfp_slc.c

diff --git a/cras/src/server/cras_hfp_slc.c b/cras/src/server/cras_hfp_slc.c
index d3f9e5f..28f73ed 100644
--- a/cras/src/server/cras_hfp_slc.c
+++ b/cras/src/server/cras_hfp_slc.c
@@ -992,7 +992,7 @@
 		if (level < 0 || num_of_level <= 1 || level >= num_of_level)
 			goto error_out;
 
-		level = level * 100 / (num_of_level - 1);
+		level = (int64_t)level * 100 / (num_of_level - 1);
 		if (handle->hf_battery != level) {
 			handle->hf_supports_battery_indicator |=
 				CRAS_HFP_BATTERY_INDICATOR_PLANTRONICS;