ASoC: tegra: check ucode upper limit
Ravindra Lokhande [Mon, 8 May 2017 09:12:48 +0000 (14:12 +0530)]
Check ucode size for upper limit.

Bug 1901435
Bug 1954563
Bug 1917589

Signed-off-by: Ravindra Lokhande <rlokhande@nvidia.com>
Signed-off-by: Xia Yang <xiay@nvidia.com>
Change-Id: I2f455771147bb4466d154878d2461e472647c4fb
Reviewed-on: https://git-master.nvidia.com/r/1575925
Reviewed-on: https://git-master.nvidia.com/r/1674399
GVS: Gerrit_Virtual_Submit
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Tested-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

sound/soc/tegra/tegra30_avp.c

index 44d9545..a074e25 100644 (file)
@@ -256,7 +256,7 @@ static int tegra30_avp_load_ucode(void)
        struct audio_engine_data *audio_engine;
        const struct firmware *ucode_fw;
        const struct tegra30_avp_ucode_desc *ucode_desc;
-       int ucode_size = 0, ucode_offset = 0, total_ucode_size = 0;
+       ssize_t ucode_size = 0, ucode_offset = 0, total_ucode_size = 0;
        int i, ret = 0;
 
        dev_vdbg(audio_avp->dev, "%s", __func__);
@@ -296,13 +296,14 @@ static int tegra30_avp_load_ucode(void)
                }
 
                ucode_size = ucode_fw->size;
-               if (ucode_size <= 0) {
+               if (ucode_size <= 0 ||
+                       ucode_size > avp_ucode_desc[i].max_mem_size) {
                        dev_err(audio_avp->dev, "Invalid ucode size.");
                        ret = -EINVAL;
                        release_firmware(ucode_fw);
                        goto err_param_mem_free;
                }
-               dev_vdbg(audio_avp->dev, "%s ucode size = %d bytes",
+               dev_vdbg(audio_avp->dev, "%s ucode size = %zd bytes",
                        ucode_desc->bin_name, ucode_size);
 
                /* Read ucode */