Skip to content

Commit 6fa7b03

Browse files
abonislawskiabonislawski
committed
audio: cadence: validate TLV param size before applying config
Bound each host-supplied module_param against the bytes remaining to avoid an OOB read or a stalled loop. Signed-off-by: Adrian Bonislawski <adrian.bonislawski@intel.com>
1 parent e7b9dbe commit 6fa7b03

1 file changed

Lines changed: 13 additions & 0 deletions

File tree

src/audio/module_adapter/module/cadence.c

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -358,6 +358,19 @@ int cadence_codec_apply_params(struct processing_module *mod, int size, void *da
358358
*/
359359
while (size > 0) {
360360
param = data;
361+
362+
if (size < (int)sizeof(*param)) {
363+
comp_err(dev, "param header truncated, %d bytes left", size);
364+
return -EINVAL;
365+
}
366+
367+
/* param->size covers the whole record and must fit */
368+
if (param->size <= sizeof(*param) || param->size > (uint32_t)size) {
369+
comp_err(dev, "invalid param size %u, %d bytes left",
370+
param->size, size);
371+
return -EINVAL;
372+
}
373+
361374
comp_dbg(dev, "cadence_codec_apply_config() applying param %d value %d",
362375
param->id, param->data[0]);
363376

0 commit comments

Comments
 (0)