From 7ed2ffb4dd643f75022d1c18f2b7e615e9559840 Mon Sep 17 00:00:00 2001 From: Ben Zhang Date: Fri, 22 Apr 2016 17:59:40 -0700 Subject: mixer: check for overflow and NULL return Signed-off-by: Ben Zhang --- mixer.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/mixer.c b/mixer.c index 7c5c5dc..f270ca8 100644 --- a/mixer.c +++ b/mixer.c @@ -28,6 +28,7 @@ #include #include +#include #include #include #include @@ -366,7 +367,11 @@ int mixer_ctl_get_array(struct mixer_ctl *ctl, void *array, size_t count) struct snd_ctl_tlv *tlv; int ret; + if (count > SIZE_MAX - sizeof(*tlv)) + return -EINVAL; tlv = calloc(1, sizeof(*tlv) + count); + if (!tlv) + return -ENOMEM; tlv->numid = ctl->info.id.numid; tlv->length = count; ret = ioctl(ctl->mixer->fd, SNDRV_CTL_IOCTL_TLV_READ, tlv); @@ -462,7 +467,11 @@ int mixer_ctl_set_array(struct mixer_ctl *ctl, const void *array, size_t count) if (ctl->info.access & SNDRV_CTL_ELEM_ACCESS_TLV_READWRITE) { struct snd_ctl_tlv *tlv; int ret = 0; + if (count > SIZE_MAX - sizeof(*tlv)) + return -EINVAL; tlv = calloc(1, sizeof(*tlv) + count); + if (!tlv) + return -ENOMEM; tlv->numid = ctl->info.id.numid; tlv->length = count; memcpy(tlv->tlv, array, count); -- cgit v1.2.3