tools: probes: reject oversized data_size_bytes to prevent integer overflow

Add a sanity check in process_sync() to reject packets with
data_size_bytes exceeding 16 MiB before performing the
data_size_bytes + sizeof(uint64_t) addition used for realloc sizing.

Without this check, a crafted probe dump with data_size_bytes near
UINT32_MAX wraps the realloc size to a small value, then the subsequent
data copy writes data_size_bytes into the undersized buffer.

Signed-off-by: Jyri Sarha <jyri.sarha@intel.com>

Author: Jyri Sarha

tools/probes/probes_demux.c

@@ -23,6 +23,7 @@
 #define APP_NAME "sof-probes"
 
 #define PACKET_MAX_SIZE	4096	/**< Size limit for probe data packet */
+#define PACKET_DATA_SIZE_MAX (16u * 1024u * 1024u)	/**< Sanity limit for packet data size */
 #define DATA_READ_LIMIT 4096	/**< Data limit for file read */
 #define FILES_LIMIT	32	/**< Maximum num of probe output files */
 #define FILE_PATH_LIMIT 128	/**< Path limit for probe output files */
@@ -194,6 +195,12 @@ int process_sync(struct dma_frame_parser *p)
 {
 	struct probe_data_packet *temp_packet;
 
+	if (p->packet->data_size_bytes > PACKET_DATA_SIZE_MAX) {
+		fprintf(stderr, "error: packet data size %u exceeds maximum %u\n",
+			p->packet->data_size_bytes, PACKET_DATA_SIZE_MAX);
+		return -EINVAL;
+	}
+
 	/* request to copy data_size from probe packet and 64-bit checksum */
 	p->total_data_to_copy = p->packet->data_size_bytes + sizeof(uint64_t);