selector: re-validate configuration on control set

A new configuration accepted at runtime through the control set path was
copied in without the validation done when parameters are applied, so a
later out-of-range channel count could overflow the channel table.
Validate the blob size and channel fields before accepting it.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

src/audio/selector/selector.c

@@ -238,9 +238,48 @@ static int selector_ctrl_set_data(struct comp_dev *dev,
 	case SOF_CTRL_CMD_BINARY:
 		comp_dbg(dev, "SOF_CTRL_CMD_BINARY");
 
+		if (cdata->data->size < sizeof(struct sof_sel_config)) {
+			comp_err(dev, "invalid config blob size %u", cdata->data->size);
+			return -EINVAL;
+		}
+
 		cfg = (struct sof_sel_config *)
 		      ASSUME_ALIGNED(&cdata->data->data, 4);
 
+		/*
+		 * The config validated at .params() time can be replaced here at
+		 * runtime, so re-validate the new channel counts and selected
+		 * channel before accepting them; otherwise an out-of-range value
+		 * later overflows the channel coefficient table during process().
+		 */
+		switch (cfg->in_channels_count) {
+		case 0:
+		case SEL_SOURCE_2CH:
+		case SEL_SOURCE_4CH:
+			break;
+		default:
+			comp_err(dev, "invalid in_channels_count %u",
+				 cfg->in_channels_count);
+			return -EINVAL;
+		}
+
+		switch (cfg->out_channels_count) {
+		case 0:
+		case SEL_SINK_1CH:
+		case SEL_SINK_2CH:
+		case SEL_SINK_4CH:
+			break;
+		default:
+			comp_err(dev, "invalid out_channels_count %u",
+				 cfg->out_channels_count);
+			return -EINVAL;
+		}
+
+		if (cfg->sel_channel >= SEL_SOURCE_CHANNELS_MAX) {
+			comp_err(dev, "invalid sel_channel %u", cfg->sel_channel);
+			return -EINVAL;
+		}
+
 		/* Just set the configuration */
 		cd->config.in_channels_count = cfg->in_channels_count;
 		cd->config.out_channels_count = cfg->out_channels_count;