ALSA: wavefront: Fix integer overflow in sample size validation

The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
author: Junrui Luo <moonafterrain@outlook.com> 2025-11-06 10:49:46 +0800
committer: Takashi Iwai <tiwai@suse.de> 2025-11-06 11:03:28 +0100
commit: 0c4a13ba88594fd4a27292853e736c6b4349823d (patch)
tree: a6a585e2fb1504516b0d5d0eae531afb79df3e52
parent: e11c5c13ce0ab2325d38fe63500be1dd88b81e38 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
index cd5c177943aa..0d78533e1cfd 100644
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *dev,
 	if (header->size) {
 		dev->freemem = wavefront_freemem (dev);
 
-		if (dev->freemem < (int)header->size) {
+		if (dev->freemem < 0 || dev->freemem < header->size) {
 			dev_err(dev->card->dev,
-				"insufficient memory to load %d byte sample.\n",
+				"insufficient memory to load %u byte sample.\n",
 				header->size);
 			return -ENOMEM;
 		}
author	Junrui Luo <moonafterrain@outlook.com>	2025-11-06 10:49:46 +0800
committer	Takashi Iwai <tiwai@suse.de>	2025-11-06 11:03:28 +0100
commit	0c4a13ba88594fd4a27292853e736c6b4349823d (patch)
tree	a6a585e2fb1504516b0d5d0eae531afb79df3e52
parent	e11c5c13ce0ab2325d38fe63500be1dd88b81e38 (diff)