diff options
| author | Maoyi Xie <maoyixie.tju@gmail.com> | 2026-06-21 23:09:07 +0800 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2026-06-25 14:02:13 +0200 |
| commit | 29b9667982e4df2ed7744f86b1144f8bb58eb698 (patch) | |
| tree | 2ae9c41251b5358a916d6723aac748024865ef5b /include | |
| parent | b8ff1f3578f83dedf5feb796d97a3f67c1bea58f (diff) | |
ALSA: firewire: isight: bound the sample count to the packet payload
isight_packet() takes the frame count from the device iso packet and
checks it only against the device claimed iso length.
count = be32_to_cpu(payload->sample_count);
if (likely(count <= (length - 16) / 4))
isight_samples(isight, payload->samples, count);
length is the iso header data_length. It can be up to 0xffff. So the
gate allows a count up to about 16379. isight_samples() then copies
count frames out of payload->samples into the PCM DMA buffer.
payload->samples holds only 2 * MAX_FRAMES_PER_PACKET values. The
device multiplexes two samples per frame. A count past
MAX_FRAMES_PER_PACKET reads past the payload. A count past the buffer
size writes past runtime->dma_area. The smallest PCM buffer is larger
than MAX_FRAMES_PER_PACKET. Bounding the count to MAX_FRAMES_PER_PACKET
keeps both the read and the write in range.
A malicious or faulty Apple iSight on the FireWire bus reaches this
during a normal capture.
Add the MAX_FRAMES_PER_PACKET bound to the gate.
Fixes: 3a691b28a0ca ("ALSA: add Apple iSight microphone driver")
Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/178205454729.1900991.7807310178296762772@maoyixie.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions