audio: data_blob: bound blob read against data_size

abonislawski · abonislawski · commit a660742e4b94 · 2026-06-17T08:57:12.000+02:00
comp_data_blob_get_cmd() advanced data_pos by the
host-controlled num_elems each fragment with no check against
the blob size, so a fragmented bytes-get could read past
the blob and leak adjacent DSP heap to the host.
Reject reads where data_pos or num_elems exceed data_size.

Signed-off-by: Adrian Bonislawski &lt;adrian.bonislawski@intel.com&gt;
diff --git a/src/audio/data_blob.c b/src/audio/data_blob.c
@@ -628,6 +628,18 @@ int comp_data_blob_get_cmd(struct comp_data_blob_handler *blob_handler,
 			return -EINVAL;
 		}
 
+		/* Bound data_pos against data_size: host-controlled num_elems
+		 * advances it per fragment and could leak adjacent heap.
+		 */
+		if (blob_handler->data_pos >= blob_handler->data_size ||
+		    cdata->num_elems > blob_handler->data_size - blob_handler->data_pos) {
+			comp_err(blob_handler->dev,
+				 "out of bounds read: pos %u elems %u size %u",
+				 blob_handler->data_pos, cdata->num_elems,
+				 blob_handler->data_size);
+			return -EINVAL;
+		}
+
 		/* copy required size of data */
 		ret = memcpy_s(cdata->data->data, size,
 			       (char *)blob_handler->data + blob_handler->data_pos,
