audio: copier: validate channels_count in copier_set_gain

abonislawski · abonislawski · commit 3c5166686c34 · 2026-06-12T13:48:13.000+02:00
channels is host-controlled (8-bit, 0-255).
Without validation it drives the memcpy length (channels * sizeof(uint16_t))
against a MAX_GAIN_COEFFS_CNT-sized stack buffer and, for channels == 0,
causes divide-by-zero in the coefficient replication loop.
Reject values outside [1, MAX_GAIN_COEFFS_CNT].

Signed-off-by: Adrian Bonislawski &lt;adrian.bonislawski@intel.com&gt;
diff --git a/src/audio/copier/copier_gain.c b/src/audio/copier/copier_gain.c
@@ -150,7 +150,7 @@ int copier_gain_dma_control(union ipc4_connector_node_id node, const char *confi
 		}
 
 		struct ipc4_copier_module_cfg *copier_cfg = cd->dd[0]->dai_spec_config;
-		const int channels = copier_cfg->base.audio_fmt.channels_count;
+		const uint32_t channels = copier_cfg->base.audio_fmt.channels_count;
 
 		ret = copier_set_gain(dev, cd->dd[0]->gain_data, gain_data, channels);
 		if (ret)
@@ -162,7 +162,7 @@ int copier_gain_dma_control(union ipc4_connector_node_id node, const char *confi
 }
 
 int copier_set_gain(struct comp_dev *dev, struct copier_gain_params *gain_params,
-		    struct gain_dma_control_data *gain_data, int channels)
+		    struct gain_dma_control_data *gain_data, uint32_t channels)
 {
 	uint16_t static_gain[MAX_GAIN_COEFFS_CNT];
 	int ret;
@@ -172,6 +172,11 @@ int copier_set_gain(struct comp_dev *dev, struct copier_gain_params *gain_params
 		return -EINVAL;
 	}
 
+	if (channels == 0 || channels > MAX_GAIN_COEFFS_CNT) {
+		comp_err(dev, "invalid channels count %u", channels);
+		return -EINVAL;
+	}
+
 	/* Set gain coefficients */
 	comp_info(dev, "Update gain coefficients from DMA_CONTROL ipc");
 
diff --git a/src/audio/copier/copier_gain.h b/src/audio/copier/copier_gain.h
@@ -8,6 +8,7 @@
 #ifndef __SOF_COPIER_GAIN_H__
 #define __SOF_COPIER_GAIN_H__
 
+#include <stdint.h>
 #include <sof/audio/buffer.h>
 #include <ipc4/base_fw.h>
 #include <ipc4/gateway.h>
@@ -219,7 +220,7 @@ enum copier_gain_state copier_gain_eval_state(struct copier_gain_params *gain_pa
  * @return 0 on success, otherwise a negative error code.
  */
 int copier_set_gain(struct comp_dev *dev, struct copier_gain_params *gain_params,
-		    struct gain_dma_control_data *gain_data, int channels);
+		    struct gain_dma_control_data *gain_data, uint32_t channels);
 
 /**
  * Checks for unity gain mode.

Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ int copier_gain_dma_control(union ipc4_connector_node_id node, const char *confi`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`struct ipc4_copier_module_cfg *copier_cfg = cd->dd[0]->dai_spec_config;`
`153`		`- const int channels = copier_cfg->base.audio_fmt.channels_count;`
	`153`	`+ const uint32_t channels = copier_cfg->base.audio_fmt.channels_count;`
`154`	`154`
`155`	`155`	`ret = copier_set_gain(dev, cd->dd[0]->gain_data, gain_data, channels);`
`156`	`156`	`if (ret)`
`@@ -162,7 +162,7 @@ int copier_gain_dma_control(union ipc4_connector_node_id node, const char *confi`
`162`	`162`	`}`
`163`	`163`
`164`	`164`	`int copier_set_gain(struct comp_dev dev, struct copier_gain_params gain_params,`
`165`		`- struct gain_dma_control_data *gain_data, int channels)`
	`165`	`+ struct gain_dma_control_data *gain_data, uint32_t channels)`
`166`	`166`	`{`
`167`	`167`	`uint16_t static_gain[MAX_GAIN_COEFFS_CNT];`
`168`	`168`	`int ret;`
`@@ -172,6 +172,11 @@ int copier_set_gain(struct comp_dev dev, struct copier_gain_params gain_params`
`172`	`172`	`return -EINVAL;`
`173`	`173`	`}`
`174`	`174`
	`175`	`+ if (channels == 0 \|\| channels > MAX_GAIN_COEFFS_CNT) {`
	`176`	`+ comp_err(dev, "invalid channels count %u", channels);`
	`177`	`+ return -EINVAL;`
	`178`	`+ }`
	`179`	`+`
`175`	`180`	`/* Set gain coefficients */`
`176`	`181`	`comp_info(dev, "Update gain coefficients from DMA_CONTROL ipc");`
`177`	`182`