audio: cadence: validate TLV param size before applying config

Bound each host-supplied module_param against the bytes remaining
to avoid an OOB read or a stalled loop.

Signed-off-by: Adrian Bonislawski <adrian.bonislawski@intel.com>

Author: abonislawski

src/audio/module_adapter/module/cadence.c

@@ -358,6 +358,16 @@ int cadence_codec_apply_params(struct processing_module *mod, int size, void *da
 	 */
 	while (size > 0) {
 		param = data;
+
+		/* Host-supplied blob: bound param->size before dereferencing. */
+		if (size < (int)sizeof(*param) ||
+		    param->size <= sizeof(*param) ||
+		    param->size > (uint32_t)size) {
+			comp_err(dev, "invalid param size %u, %d bytes left",
+				 param->size, size);
+			return -EINVAL;
+		}
+
 		comp_dbg(dev, "cadence_codec_apply_config() applying param %d value %d",
 			 param->id, param->data[0]);