+-- On Fri, 15 May 2020, P J P wrote --+ | From: Prasad J Pandit <p...@fedoraproject.org> | | A guest user may set channel frame count via es1370_write() | such that, in es1370_transfer_audio(), total frame count | 'size' is lesser than the number of frames that are processed | 'cnt'. | | int cnt = d->frame_cnt >> 16; | int size = d->frame_cnt & 0xffff; | | if (size < cnt), it results in incorrect calculations leading | to OOB access issue(s). Add check to avoid it. |
Ping...! -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
