diff options
| author | Cássio Gabriel <cassiogabrielcontato@gmail.com> | 2026-06-03 20:57:54 +0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-06-10 14:06:35 +0300 |
| commit | 8468dd79cfb2ffbdeaf7c353f63d64941cb8ba05 (patch) | |
| tree | 35459254645d7b8ebbd218cbe85b2d6d246097eb /include/linux | |
| parent | fc10b96e964ee1a7e218720652efa4447f148649 (diff) | |
| download | linux-8468dd79cfb2ffbdeaf7c353f63d64941cb8ba05.tar.xz | |
ASoC: SOF: topology: validate vendor array size before parsing
sof_parse_token_sets() reads array->size while iterating over topology
private data. The loop condition only checks that some data remains, so a
malformed topology with a truncated trailing vendor array can make the
parser read the size field before a full vendor-array header is available.
Validate that the remaining private data contains a complete
snd_soc_tplg_vendor_array header before reading array->size.
The declared array size check also needs to remain signed. asize is an int,
but sizeof(*array) has type size_t, so comparing them directly promotes
negative asize values to unsigned and lets them pass the check,
as reported in the stable review thread reference below.
Cast sizeof(*array) to int when validating the declared array size. This
rejects negative, zero and otherwise too-small sizes before the parser
dispatches to the tuple-specific code.
Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@mail.gmail.com/t/#m9b3be379221e79327cc13fd71009287368ef4f23
Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260603-sof-topology-array-size-signed-v1-1-84f97879a4ef@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions