audio: data_blob: fix memcpy_s bounds in ipc4_comp_data_blob_set

abonislawski · abonislawski · commit a8c1a5e6e9c0 · 2026-06-11T10:46:43.000+02:00
Pass the real destination capacity instead of the copy count
so the size check is effective, preventing
a host-controlled heap overflow of data_new.

Signed-off-by: Adrian Bonislawski &lt;adrian.bonislawski@intel.com&gt;
diff --git a/src/audio/data_blob.c b/src/audio/data_blob.c
@@ -365,8 +365,11 @@ int ipc4_comp_data_blob_set(struct comp_data_blob_handler *blob_handler,
 		valid_data_size = last_block ? data_offset : MAILBOX_DSPBOX_SIZE;
 
 		ret = memcpy_s((char *)blob_handler->data_new,
-			       valid_data_size, data, valid_data_size);
-		assert(!ret);
+			       blob_handler->new_data_size, data, valid_data_size);
+		if (ret) {
+			comp_err(blob_handler->dev, "failed to copy fragment");
+			return ret;
+		}
 
 		blob_handler->data_pos += valid_data_size;
 	} else {
@@ -391,8 +394,12 @@ int ipc4_comp_data_blob_set(struct comp_data_blob_handler *blob_handler,
 			valid_data_size = blob_handler->new_data_size - data_offset;
 
 		ret = memcpy_s((char *)blob_handler->data_new + data_offset,
-			       valid_data_size, data, valid_data_size);
-		assert(!ret);
+			       blob_handler->new_data_size - data_offset,
+			       data, valid_data_size);
+		if (ret) {
+			comp_err(blob_handler->dev, "failed to copy fragment");
+			return ret;
+		}
 
 		blob_handler->data_pos += valid_data_size;
 	}
