smart_amp: bound get-config copy by config struct size

The config read-back used the stored config size as the memcpy source
length from a fixed-size struct; a host-set oversized size read adjacent
heap. Bound the length by the struct size as well as the destination.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

src/audio/smart_amp/smart_amp.c

@@ -289,7 +289,11 @@ static int smart_amp_get_config(struct processing_module *mod,
 	comp_dbg(dev, "actual blob size = %zu, expected blob size = %zu",
 		 bs, sizeof(struct sof_smart_amp_config));
 
-	if (bs == 0 || bs > size)
+	/* bs is the host-set config.size and is used as the memcpy source
+	 * length from the fixed-size sad->config, so bound it by the struct
+	 * size as well as the destination buffer
+	 */
+	if (bs == 0 || bs > size || bs > sizeof(struct sof_smart_amp_config))
 		return -EINVAL;
 
 	ret = memcpy_s(cdata->data->data, size, &sad->config, bs);