smex: bound the extended manifest walk

The extended-manifest walk advanced by an element size read from the
section without validating it, so a zero size looped forever and a large
size read past the section. Stop on a zero size or one that would leave
the section.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

smex/ldc.c

@@ -57,13 +57,22 @@ static int fw_version_copy(const struct elf_module *src,
 		return section_size;
 
 	ext_hdr = (struct ext_man_elem_header *)buffer;
-	while ((uintptr_t)ext_hdr < (uintptr_t)buffer + section_size) {
+	while ((uintptr_t)ext_hdr + sizeof(*ext_hdr) <=
+	       (uintptr_t)buffer + section_size) {
 		if (ext_hdr->type == EXT_MAN_ELEM_DBG_ABI) {
 			header->version.abi_version =
 				((struct ext_man_dbg_abi *)
 						ext_hdr)->dbg_abi.abi_dbg_version;
 			break;
 		}
+		/* elem_size must advance the cursor and keep the next header
+		 * within the section; otherwise stop instead of looping
+		 * forever (elem_size == 0) or reading past the section
+		 */
+		if (ext_hdr->elem_size == 0 ||
+		    (uintptr_t)ext_hdr + ext_hdr->elem_size >
+		    (uintptr_t)buffer + section_size)
+			break;
 		//move to the next entry
 		ext_hdr = (struct ext_man_elem_header *)
 				((uint8_t *)ext_hdr + ext_hdr->elem_size);