On Tue, Feb 02, 2021 at 12:38:09PM +0100, Christian Gromm wrote:
> This patch zero checks the function parameter 'bytes' before doing the
> subtraction to prevent memory corruption.
> 
> Signed-off-by: Christian Gromm <christian.gr...@microchip.com>
> Reported-by: Dan Carpenter <dan.carpen...@oracle.com>
> ---
>  drivers/staging/most/sound/sound.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/staging/most/sound/sound.c 
> b/drivers/staging/most/sound/sound.c
> index 3a1a590..953a4fe 100644
> --- a/drivers/staging/most/sound/sound.c
> +++ b/drivers/staging/most/sound/sound.c
> @@ -86,6 +86,8 @@ static void swap_copy24(u8 *dest, const u8 *source, 
> unsigned int bytes)
>  {
>       unsigned int i = 0;
>  
> +     if (!bytes)
> +             return;
>       while (i < bytes - 2) {

If "bytes == 1" then this will cause problems still.  "bytes - 2"
becomes UINT_MAX.  I mean probably that's not possible but we may as
well make the sanity check if (bytes < 2) just for readability.

regards,
dan carpenter

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to