igo_nr: validate config blob size before copy

A new configuration blob was copied into the component state as a
fixed-size structure without checking the blob was large enough, reading
past the allocation for a short blob. Request the blob size and reject
one smaller than the configuration structure.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

src/audio/igo_nr/igo_nr.c

@@ -719,17 +719,32 @@ static void igo_nr_print_config(struct processing_module *mod)
 static void igo_nr_set_igo_params(struct processing_module *mod)
 {
 	struct comp_data *cd = module_get_private_data(mod);
-	struct sof_igo_nr_config *p_config = comp_get_data_blob(cd->model_handler, NULL, NULL);
+	size_t config_size;
+	struct sof_igo_nr_config *p_config = comp_get_data_blob(cd->model_handler,
+							       &config_size, NULL);
 	struct comp_dev *dev = mod->dev;
 
 	comp_info(dev, "entry");
-	igo_nr_check_config_validity(dev, cd);
 
-	if (p_config) {
-		comp_info(dev, "New config detected.");
-		cd->config = *p_config;
-		igo_nr_print_config(mod);
+	if (!p_config)
+		return;
+
+	if (config_size < sizeof(cd->config)) {
+		comp_err(dev, "New config too small: %zu < %zu",
+			 config_size, sizeof(cd->config));
+		return;
 	}
+
+	/* validate the incoming blob and only apply it if it passes;
+	 * igo_nr_check_config_validity() re-reads the new blob and logs
+	 * on failure
+	 */
+	if (igo_nr_check_config_validity(dev, cd) < 0)
+		return;
+
+	comp_info(dev, "New config detected.");
+	cd->config = *p_config;
+	igo_nr_print_config(mod);
 }
 
 /* copy and process stream data from source to sink buffers */