Commit 22bbf1a9 authored by Prasad J Pandit's avatar Prasad J Pandit Committed by zhanghailiang
Browse files

es1370: check total frame count against current frame 



A guest user may set channel frame count via es1370_write()
such that, in es1370_transfer_audio(), total frame count
'size' is lesser than the number of frames that are processed
'cnt'.

    int cnt = d->frame_cnt >> 16;
    int size = d->frame_cnt & 0xffff;

if (size < cnt), it results in incorrect calculations leading
to OOB access issue(s). Add check to avoid it.

Reported-by: default avatarRen Ding <rding@gatech.edu>
Reported-by: default avatarHanqing Zhao <hanqing@gatech.edu>
Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Message-id: 20200514200608.1744203-1-ppandit@redhat.com
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent 0985fd99

hw/audio/es1370.c

+5 −2
Original line number Diff line number Diff line
@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, 
    int csc_bytes = (csc + 1) << d->shift;

    int cnt = d->frame_cnt >> 16;

    int size = d->frame_cnt & 0xffff;

    if (size < cnt) {

        return;

    }

    int left = ((size - cnt + 1) << 2) + d->leftover;

    int transferred = 0;

    int temp = audio_MIN (max, audio_MIN (left, csc_bytes));
@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, 
    addr += (cnt << 2) + d->leftover;



    if (index == ADC_CHANNEL) {

        while (temp) {

        while (temp > 0) {

            int acquired, to_copy;



            to_copy = audio_MIN ((size_t) temp, sizeof (tmpbuf));
@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, 
    else {

        SWVoiceOut *voice = s->dac_voice[index];



        while (temp) {

        while (temp > 0) {

            int copied, to_copy;



            to_copy = audio_MIN ((size_t) temp, sizeof (tmpbuf));