drc: validate config blob size before use

DRC setup dereferenced the config blob as a fixed struct without
verifying the blob was at least that large, over-reading adjacent heap
for a short blob. Require the blob to cover the config struct.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

src/audio/drc/drc.c

@@ -353,7 +353,10 @@ static int drc_prepare(struct processing_module *mod,
 	/* Initialize DRC */
 	comp_info(dev, "source_format=%d", cd->source_format);
 	cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL);
-	if (cd->config && data_size > 0) {
+	/* the blob is dereferenced as a struct sof_drc_config below and in
+	 * drc_setup(), so require it to be at least that large
+	 */
+	if (cd->config && data_size >= sizeof(struct sof_drc_config)) {
 		ret = drc_setup(mod, channels, rate);
 		if (ret < 0) {
 			comp_err(dev, "error: drc_setup failed.");