ALSA: wavefront: copy userspace array safely

wavefront_fx.c utilizes memdup_user() to copy a userspace array. This does not check for an overflow. Use the new wrapper memdup_array_user() to copy the array more safely. Suggested-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Philipp Stanner <pstanner@redhat.com> Link: https://lore.kernel.org/r/20231102190309.50891-2-pstanner@redhat.comSigned-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: wavefront: copy userspace array safely
wavefront_fx.c utilizes memdup_user() to copy a userspace array. This does not check for an overflow. Use the new wrapper memdup_array_user() to copy the array more safely. Suggested-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Philipp Stanner <pstanner@redhat.com> Link: https://lore.kernel.org/r/20231102190309.50891-2-pstanner@redhat.comSigned-off-by: Takashi Iwai <tiwai@suse.de>
5a774572 · Philipp Stanner · Takashi Iwai · d04ce411 · 5a774572
Commit 5a774572 authored Nov 02, 2023 by Philipp Stanner Committed by Takashi Iwai Nov 20, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

sound/isa/wavefront/wavefront_fx.c sound/isa/wavefront/wavefront_fx.c +3 -3

No files found.
--- a/sound/isa/wavefront/wavefront_fx.c
+++ b/sound/isa/wavefront/wavefront_fx.c
@@ -191,9 +191,9 @@ snd_wavefront_fx_ioctl (struct snd_hwdep *sdev, struct file *file,
 					    "> 512 bytes to FX\n");
 				return -EIO;
 			}
-			page_data = memdup_user((unsigned char __user *)
-						r.data[3],
-						r.data[2] * sizeof(short));
+			page_data = memdup_array_user((unsigned char __user *)
+						      r.data[3],
+						      r.data[2], sizeof(short));
 			if (IS_ERR(page_data))
 				return PTR_ERR(page_data);
 			pd = page_data;