audio: cadence: validate TLV param size before applying config

Bound each host-supplied module_param against the bytes remaining
to avoid an OOB read or a stalled loop.

Signed-off-by: Adrian Bonislawski <adrian.bonislawski@intel.com>

Author: abonislawski

src/audio/module_adapter/module/cadence.c

@@ -358,6 +358,24 @@ int cadence_codec_apply_params(struct processing_module *mod, int size, void *da
 	 */
 	while (size > 0) {
 		param = data;
+
+		/* Host-supplied blob: the header must fit before param->size
+		 * can be read.
+		 */
+		if (size < (int)sizeof(*param)) {
+			comp_err(dev, "param header truncated, %d bytes left", size);
+			return -EINVAL;
+		}
+
+		/* param->size covers the whole record and must fit in the
+		 * remaining bytes.
+		 */
+		if (param->size <= sizeof(*param) || param->size > (uint32_t)size) {
+			comp_err(dev, "invalid param size %u, %d bytes left",
+				 param->size, size);
+			return -EINVAL;
+		}
+
 		comp_dbg(dev, "cadence_codec_apply_config() applying param %d value %d",
 			 param->id, param->data[0]);