ASoC: SOF: topology: reject invalid vendor array size in token parser

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

sof_parse_token_sets() accepts array->size values that can be invalid
for a vendor tuple array header. In particular, a zero size does not
advance the parser state and can lead to non-progress parsing on
malformed topology data.

Validate array->size against the minimum header size and reject values
smaller than sizeof(*array) before parsing. This preserves behavior for
valid topologies and hardens malformed-input handling.

Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>

authored by

Cássio Gabriel and committed by

Mark Brown 3 months ago 215e5fe7 a437601a

+1 -1

1 changed file

expand all

sound

soc

sof

topology.c

+1 -1

sound/soc/sof/topology.c

··· 736 736 asize = le32_to_cpu(array->size); 737 737 738 738 /* validate asize */ 739 - if (asize < 0) { /* FIXME: A zero-size array makes no sense */ 739 + if (asize < sizeof(*array)) { 740 740 dev_err(scomp->dev, "error: invalid array size 0x%x\n", 741 741 asize); 742 742 return -EINVAL;

Configure Feed

Configure Feed