[PATCH] ALSA: wavefront: Fix integer overflow in sample size validation

Next message: Miguel Ojeda: "Re: [PATCH RFC 1/4] rust: clist: Add abstraction for iterating over C linked lists"
Previous message: Christian Marangi: "[PATCH v3 0/1] cpufreq: qcom: handle ipq806x with no SMEM"
Next in thread: Takashi Iwai: "Re: [PATCH] ALSA: wavefront: Fix integer overflow in sample size validation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: moonafterrain

Date: Tue Nov 04 2025 - 09:13:21 EST

From: Junrui Luo <moonafterrain@xxxxxxxxxxx>

The wavefront_send_sample() function has an integer overflow issue
when validating sample size. The header->size field is u32 but gets
cast to int for comparison with dev->freemem

Fix by using unsigned comparison to avoid integer overflow.

Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Reported-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
sound/isa/wavefront/wavefront_synth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
index cd5c177943aa..4a8c507eae71 100644
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *dev,
if (header->size) {
dev->freemem = wavefront_freemem (dev);

- if (dev->freemem < (int)header->size) {
+ if ((unsigned int)dev->freemem < header->size) {
dev_err(dev->card->dev,
- "insufficient memory to load %d byte sample.\n",
+ "insufficient memory to load %u byte sample.\n",
header->size);
return -ENOMEM;
}
--
2.51.1.dirty