!15634 ALSA: oss: Fix PCM OSS buffer allocation overflow (9b14a943) · Commits · EulixOS / Software / Kernel

sound/core/oss/pcm_oss.c

+8 −4

Original line number	Diff line number	Diff line
		@@ -789,6 +789,11 @@ static int snd_pcm_oss_period_size(struct snd_pcm_substream *substream,

		if (oss_period_size < 16)
		return -EINVAL;

		/* don't allocate too large period; 1MB period must be enough */
		if (oss_period_size > 1024 * 1024)
		return -ENOMEM;

		runtime->oss.period_bytes = oss_period_size;
		runtime->oss.period_frames = 1;
		runtime->oss.periods = oss_periods;
		@@ -1053,10 +1058,9 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
		goto failure;
		}
		#endif
		oss_period_size *= oss_frame_size;

		oss_buffer_size = oss_period_size * runtime->oss.periods;
		if (oss_buffer_size < 0) {
		oss_period_size = array_size(oss_period_size, oss_frame_size);
		oss_buffer_size = array_size(oss_period_size, runtime->oss.periods);
		if (oss_buffer_size <= 0) {
		err = -EINVAL;
		goto failure;
		}

+4 −1

Original line number	Diff line number	Diff line
		@@ -61,7 +61,10 @@ static int snd_pcm_plugin_alloc(struct snd_pcm_plugin *plugin, snd_pcm_uframes_t
		}
		if ((width = snd_pcm_format_physical_width(format->format)) < 0)
		return width;
		size = frames * format->channels * width;
		size = array3_size(frames, format->channels, width);
		/* check for too large period size once again */
		if (size > 1024 * 1024)
		return -ENOMEM;
		if (snd_BUG_ON(size % 8))
		return -ENXIO;
		size /= 8;