tools: tplg_parser: fix stack buffer overflow in tplg_create_graph()

Replace unbounded strcat() calls with snprintf() that tracks remaining
buffer capacity. Add a pipeline_string_size parameter to
tplg_create_graph() so the function knows the buffer limit.

Without this fix, a crafted topology file with many or long graph
element names can overflow the caller's fixed 256-byte pipeline_string
buffer via repeated strcat(), corrupting the host stack.

Signed-off-by: Jyri Sarha <jyri.sarha@intel.com>

Author: Jyri Sarha

tools/testbench/topology_ipc3.c

@@ -98,7 +98,8 @@ static int tb_register_graph(struct tplg_context *ctx, struct tplg_comp_info *te
 
 	for (i = 0; i < num_connections; i++) {
 		ret = tplg_create_graph(ctx, num_comps, pipeline_id, temp_comp_list,
-					pipeline_string, &connection, i);
+					pipeline_string, sizeof(pipeline_string),
+					&connection, i);
 		if (ret < 0)
 			return ret;
 

tools/tplg_parser/graph.c

@@ -23,6 +23,7 @@
 /* load pipeline graph DAPM widget*/
 int tplg_create_graph(struct tplg_context *ctx, int count, int pipeline_id,
 		      struct tplg_comp_info *temp_comp_list, char *pipeline_string,
+		      size_t pipeline_string_size,
 		      struct sof_ipc_pipe_comp_connect *connection,
 		      int route_num)
 {
@@ -64,13 +65,21 @@ int tplg_create_graph(struct tplg_context *ctx, int count, int pipeline_id,
 
 	printf("loading route %s -> %s\n", source, sink);
 
-	strcat(pipeline_string, graph_elem->source);
-	strcat(pipeline_string, "->");
-
-	if (route_num == (count - 1)) {
-		strcat(pipeline_string, graph_elem->sink);
-		strcat(pipeline_string, "\n");
-	}
+	size_t cur_len = strnlen(pipeline_string, pipeline_string_size);
+	size_t remaining = pipeline_string_size > cur_len ?
+		pipeline_string_size - cur_len : 0;
+	int written;
+
+	if (route_num == (count - 1))
+		written = snprintf(pipeline_string + cur_len, remaining,
+				   "%s->%s\n", graph_elem->source,
+				   graph_elem->sink);
+	else
+		written = snprintf(pipeline_string + cur_len, remaining,
+				   "%s->", graph_elem->source);
+
+	if (written < 0 || (size_t)written >= remaining)
+		fprintf(stderr, "warning: pipeline string truncated\n");
 
 	return 0;
 }

tools/tplg_parser/include/tplg_parser/topology.h

@@ -338,6 +338,7 @@ int tplg_new_process(struct tplg_context *ctx, void *process, size_t process_siz
 
 int tplg_create_graph(struct tplg_context *ctx, int count, int pipeline_id,
 		      struct tplg_comp_info *temp_comp_list, char *pipeline_string,
+		      size_t pipeline_string_size,
 		      struct sof_ipc_pipe_comp_connect *connection,
 		      int route_num);