From 7ed2ffb4dd643f75022d1c18f2b7e615e9559840 Mon Sep 17 00:00:00 2001
From: Ben Zhang <benzh@google.com>
Date: Fri, 22 Apr 2016 17:59:40 -0700
Subject: mixer: check for overflow and NULL return

Signed-off-by: Ben Zhang <benzh@google.com>
---
 mixer.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/mixer.c b/mixer.c
index 7c5c5dc..f270ca8 100644
--- a/mixer.c
+++ b/mixer.c
@@ -28,6 +28,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <unistd.h>
 #include <fcntl.h>
@@ -366,7 +367,11 @@ int mixer_ctl_get_array(struct mixer_ctl *ctl, void *array, size_t count)
             struct snd_ctl_tlv *tlv;
             int ret;
 
+            if (count > SIZE_MAX - sizeof(*tlv))
+                return -EINVAL;
             tlv = calloc(1, sizeof(*tlv) + count);
+            if (!tlv)
+                return -ENOMEM;
             tlv->numid = ctl->info.id.numid;
             tlv->length = count;
             ret = ioctl(ctl->mixer->fd, SNDRV_CTL_IOCTL_TLV_READ, tlv);
@@ -462,7 +467,11 @@ int mixer_ctl_set_array(struct mixer_ctl *ctl, const void *array, size_t count)
         if (ctl->info.access & SNDRV_CTL_ELEM_ACCESS_TLV_READWRITE) {
             struct snd_ctl_tlv *tlv;
             int ret = 0;
+            if (count > SIZE_MAX - sizeof(*tlv))
+                return -EINVAL;
             tlv = calloc(1, sizeof(*tlv) + count);
+            if (!tlv)
+                return -ENOMEM;
             tlv->numid = ctl->info.id.numid;
             tlv->length = count;
             memcpy(tlv->tlv, array, count);
-- 
cgit v1.2.3