mixer: check for overflow and NULL return
Change-Id: Ia3439ab17cce8a3c5aa2a8ce3cfa32a39b935d88
Signed-off-by: Ben Zhang <benzh@google.com>
diff --git a/mixer.c b/mixer.c
index 4b3d14f..c4e6765 100644
--- a/mixer.c
+++ b/mixer.c
@@ -28,6 +28,7 @@
#include <stdio.h>
#include <stdlib.h>
+#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
@@ -360,7 +361,11 @@
struct snd_ctl_tlv *tlv;
int ret;
+ if (count > SIZE_MAX - sizeof(*tlv))
+ return -EINVAL;
tlv = calloc(1, sizeof(*tlv) + count);
+ if (!tlv)
+ return -ENOMEM;
tlv->numid = ctl->info->id.numid;
tlv->length = count;
ret = ioctl(ctl->mixer->fd, SNDRV_CTL_IOCTL_TLV_READ, tlv);
@@ -456,7 +461,11 @@
if (ctl->info->access & SNDRV_CTL_ELEM_ACCESS_TLV_READWRITE) {
struct snd_ctl_tlv *tlv;
int ret = 0;
+ if (count > SIZE_MAX - sizeof(*tlv))
+ return -EINVAL;
tlv = calloc(1, sizeof(*tlv) + count);
+ if (!tlv)
+ return -ENOMEM;
tlv->numid = ctl->info->id.numid;
tlv->length = count;
memcpy(tlv->tlv, array, count);