tplg: reject undersized process private data

lrgirdwo · lgirdwood · commit af6c200847a9 · 2026-06-18T15:34:48.000+01:00
The private-data size had the ABI header length subtracted without
checking it was at least that large, underflowing the computed size.
Reject private data smaller than the header in both append paths.

Signed-off-by: Liam Girdwood &lt;liam.r.girdwood@linux.intel.com&gt;
diff --git a/tools/tplg_parser/process.c b/tools/tplg_parser/process.c
@@ -151,6 +151,11 @@ static int process_append_data3(void *_process_ipc,
 
 	/* Size is process IPC plus private data minus ABI header */
 	bytes_ctl = (struct snd_soc_tplg_bytes_control *)ctl;
+	if (bytes_ctl->priv.size < sizeof(struct sof_abi_hdr)) {
+		fprintf(stderr, "error: process priv data too small: %u\n",
+			bytes_ctl->priv.size);
+		return -EINVAL;
+	}
 	size = bytes_ctl->priv.size - sizeof(struct sof_abi_hdr);
 	ipc_size = sizeof(struct sof_ipc_comp_process) + UUID_SIZE +
 			process_ipc->size + size;
@@ -184,6 +189,11 @@ static int process_append_data4(void *_process_ipc,
 
 	/* Size is process IPC plus private data minus ABI header */
 	bytes_ctl = (struct snd_soc_tplg_bytes_control *)ctl;
+	if (bytes_ctl->priv.size < sizeof(struct sof_abi_hdr)) {
+		fprintf(stderr, "error: process priv data too small: %u\n",
+			bytes_ctl->priv.size);
+		return -EINVAL;
+	}
 	size = bytes_ctl->priv.size - sizeof(struct sof_abi_hdr);
 
 	/* validate if everything will fit */
