On Tue, 04 Nov 2025 15:10:18 +0100, moonafterrain@outlook.com wrote:
From: Junrui Luo moonafterrain@outlook.com
The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem
Fix by using unsigned comparison to avoid integer overflow.
This is not really a right fix, unfortunately. wavefront_freemem() itself can return a negative value, and the cast would ignore it.
A better alternative could be something like: if (dev->freemem < 0 || dev->freemem < header->size) { so that the cast can be dropped to be compared as unsigned implicitly.
Not sure whether this still triggers some warnings in the recent compilers, though. Need testing.
thanks,
Takashi
Reported-by: Yuhao Jiang danisjiang@gmail.com Reported-by: Junrui Luo moonafterrain@outlook.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Junrui Luo moonafterrain@outlook.com
sound/isa/wavefront/wavefront_synth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c index cd5c177943aa..4a8c507eae71 100644 --- a/sound/isa/wavefront/wavefront_synth.c +++ b/sound/isa/wavefront/wavefront_synth.c @@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *dev, if (header->size) { dev->freemem = wavefront_freemem (dev);
if (dev->freemem < (int)header->size) {
if ((unsigned int)dev->freemem < header->size) { dev_err(dev->card->dev,
"insufficient memory to load %d byte sample.\n",
"insufficient memory to load %u byte sample.\n", header->size); return -ENOMEM;-- 2.51.1.dirty