rimage: bound module manifest count from input

The number of module manifests packed in a section came from the input file and
drove writes into the fixed-size module descriptor array. Reject a count above
the maximum before the write loop.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

tools/rimage/src/manifest.c

@@ -534,6 +534,18 @@ static int man_module_create_reloc(struct image *image, struct manifest_module *
 		return -ENOEXEC;
 	}
 
+	/*
+	 * n_mod comes from the (potentially untrusted) ELF and each manifest
+	 * consumes a sof_man_module descriptor slot written into fw_image.
+	 * Bound it so a crafted .module section cannot overflow the manifest.
+	 */
+	if (n_mod > MAX_MODULES) {
+		fprintf(stderr, "error: too many module manifests (%u > %u) in '.module' section.\n",
+			n_mod, MAX_MODULES);
+		elf_section_free(&section);
+		return -ENOEXEC;
+	}
+
 	unsigned int i;
 
 	for (i = 0, sof_mod = section.data; i < n_mod; i++, sof_mod++) {