audio: kpb: widen channel loop counter to match micsel_channels

tmleman · tmleman · commit a46760296c92 · 2026-06-09T19:26:12.000+02:00
The four kpb_micselect_copy16/32() variants declare the channel loop
counter "ch" as uint16_t while iterating "for (ch = 0; ch &lt; ...
micsel_channels; ch++)", where micsel_channels is uint32_t. The loop
condition promotes ch to a wider type for the comparison, so if
micsel_channels ever exceeds UINT16_MAX the counter wraps at 65536 and
the loop fails to terminate. The same narrow counter would also
truncate channel indexing.

Declare ch as uint32_t so its width matches the bound it is compared
against and the channel count it indexes. KPB_MAX_MICSEL_CHANNELS keeps
the real value small, so this is hardening rather than an observed
runaway, but the type mismatch is removed at the source.

CodeQL flagged the two non-HiFi variants (kpb.c:1112,1143); the two
KPB_HIFI3 variants (kpb.c:1050,1084) carry the identical pattern and
are fixed in the same change for consistency.

Found-by: CodeQL 2.24.2 (codeql/cpp-queries cpp-security-extended),
  rule cpp/comparison-with-wider-type. Run with database
  build-mode=none over sof/src, 867 files / 98 queries.
AI-triaged: traced ch and micsel_channels declarations across all four
  micselect copy functions and confirmed the bound is uint32_t before
  widening the counter; extended the fix to the HiFi3 variants the tool
  did not reach in this build configuration.

Signed-off-by: Tomasz Leman &lt;tomasz.m.leman@intel.com&gt;
diff --git a/src/audio/kpb.c b/src/audio/kpb.c
@@ -1033,7 +1033,7 @@ static void kpb_micselect_copy16(struct comp_buffer *sink,
 {
 	struct audio_stream *istream = &source->stream;
 	struct audio_stream *ostream = &sink->stream;
-	uint16_t ch;
+	uint32_t ch;
 	size_t i;
 
 	AE_SETCBEGIN0(audio_stream_get_addr(ostream));
@@ -1066,7 +1066,7 @@ static void kpb_micselect_copy32(struct comp_buffer *sink,
 {
 	struct audio_stream *istream = &source->stream;
 	struct audio_stream *ostream = &sink->stream;
-	uint16_t ch;
+	uint32_t ch;
 	size_t i;
 
 	AE_SETCBEGIN0(audio_stream_get_addr(ostream));
@@ -1103,7 +1103,7 @@ static void kpb_micselect_copy16(struct comp_buffer *sink,
 
 	buffer_stream_invalidate(source, size);
 	size_t out_samples;
-	uint16_t ch;
+	uint32_t ch;
 
 	const int16_t *in_data;
 	int16_t *out_data;
@@ -1135,7 +1135,7 @@ static void kpb_micselect_copy32(struct comp_buffer *sink,
 
 	buffer_stream_invalidate(source, size);
 	size_t out_samples;
-	uint16_t ch;
+	uint32_t ch;
 	const int32_t *in_data;
 	int32_t *out_data;
 	const size_t samples_per_chan = size / (sizeof(uint32_t) * micsel_channels);
