Google Git
Sign in
android / platform / external / tinyalsa / android-cts-7.0_r12^! / .
commit6cb14f2bdbe8dd845ae84fd6accc5065dc0a04ed[log] [tgz]
authorBen Zhang <benzh@google.com>Fri Apr 22 17:59:40 2016 -0700
committerBen Zhang <benzh@google.com>Fri Apr 22 18:10:20 2016 -0700
tree5adc36674bbf361f895269e3ff535b5a56d2cba7
parent56754eba9ae2fc8ec6040cc18fe8c9fdb65b93e5 [diff]
mixer: check for overflow and NULL return

Change-Id: Ia3439ab17cce8a3c5aa2a8ce3cfa32a39b935d88
Signed-off-by: Ben Zhang <benzh@google.com>

diff --git a/mixer.c b/mixer.c
index 4b3d14f..c4e6765 100644
--- a/mixer.c
+++ b/mixer.c

@@ -28,6 +28,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <unistd.h>
 #include <fcntl.h>
@@ -360,7 +361,11 @@
             struct snd_ctl_tlv *tlv;
             int ret;
 
+            if (count > SIZE_MAX - sizeof(*tlv))
+                return -EINVAL;
             tlv = calloc(1, sizeof(*tlv) + count);
+            if (!tlv)
+                return -ENOMEM;
             tlv->numid = ctl->info->id.numid;
             tlv->length = count;
             ret = ioctl(ctl->mixer->fd, SNDRV_CTL_IOCTL_TLV_READ, tlv);
@@ -456,7 +461,11 @@
         if (ctl->info->access & SNDRV_CTL_ELEM_ACCESS_TLV_READWRITE) {
             struct snd_ctl_tlv *tlv;
             int ret = 0;
+            if (count > SIZE_MAX - sizeof(*tlv))
+                return -EINVAL;
             tlv = calloc(1, sizeof(*tlv) + count);
+            if (!tlv)
+                return -ENOMEM;
             tlv->numid = ctl->info->id.numid;
             tlv->length = count;
             memcpy(tlv->tlv, array, count);