audio: eq_iir: Improve robustness for invalid configuration

Validate the EQ IIR configuration blob and IIR header fields to prevent
out-of-bounds reads and malformed-state setup.

- eq_iir.c, eq_iir.h: Store the blob length returned by
  comp_get_data_blob() in a new config_size field, and bound it to
  [sizeof(*cd->config), SOF_EQ_IIR_MAX_SIZE] in both eq_iir_prepare
  and the runtime new-blob path in eq_iir_process.
- eq_iir_init_coef(): derive coef_words_max from the blob's
  self-declared size after rejecting blobs too small to hold the
  header and the assign_response[] array. For each declared response,
  bound-check that the header fits before reading num_sections, and
  verify the full header + biquad record stays within the
  coefficient area.
- eq_iir_setup(): reject any mismatch between cd->config->size and the
  blob length reported by comp_get_data_blob().
- iir_delay_size_df1(), iir_delay_size_df2t(): range-check
  num_sections_in_series; the value is later used to stride the delay
  line and parallel-chain loop, and was previously unchecked.

Signed-off-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>

Author: singalsu

src/audio/eq_iir/eq_iir.c

@@ -119,7 +119,13 @@ static int eq_iir_process(struct processing_module *mod,
 
 	/* Check for changed configuration */
 	if (comp_is_new_data_blob_available(cd->model_handler)) {
-		cd->config = comp_get_data_blob(cd->model_handler, NULL, NULL);
+		cd->config = comp_get_data_blob(cd->model_handler, &cd->config_size, NULL);
+		if (!cd->config || cd->config_size < sizeof(*cd->config) ||
+		    cd->config_size > SOF_EQ_IIR_MAX_SIZE) {
+			comp_err(mod->dev, "invalid configuration blob, size %zu",
+				 cd->config_size);
+			return -EINVAL;
+		}
 		ret = eq_iir_new_blob(mod, audio_stream_get_frm_fmt(source),
 				      audio_stream_get_frm_fmt(sink),
 				      audio_stream_get_channels(source));
@@ -158,7 +164,6 @@ static int eq_iir_prepare(struct processing_module *mod,
 	struct comp_dev *dev = mod->dev;
 	enum sof_ipc_frame source_format;
 	enum sof_ipc_frame sink_format;
-	size_t data_size;
 	int channels;
 	int ret = 0;
 
@@ -183,7 +188,7 @@ static int eq_iir_prepare(struct processing_module *mod,
 	source_format = audio_stream_get_frm_fmt(&sourceb->stream);
 	sink_format = audio_stream_get_frm_fmt(&sinkb->stream);
 
-	cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL);
+	cd->config = comp_get_data_blob(cd->model_handler, &cd->config_size, NULL);
 
 	/* Initialize EQ */
 	comp_info(dev, "source_format=%d, sink_format=%d",
@@ -192,7 +197,13 @@ static int eq_iir_prepare(struct processing_module *mod,
 	eq_iir_set_passthrough_func(cd, source_format, sink_format);
 
 	/* Initialize EQ */
-	if (cd->config && data_size > 0) {
+	if (cd->config) {
+		if (cd->config_size < sizeof(*cd->config) ||
+		    cd->config_size > SOF_EQ_IIR_MAX_SIZE) {
+			comp_err(dev, "invalid configuration blob, size %zu",
+				 cd->config_size);
+			return -EINVAL;
+		}
 		ret = eq_iir_new_blob(mod, source_format, sink_format, channels);
 		if (ret)
 			return ret;

src/audio/eq_iir/eq_iir.h

@@ -39,6 +39,7 @@ struct comp_data {
 	struct comp_data_blob_handler *model_handler;
 	struct sof_eq_iir_config *config;
 	int32_t *iir_delay;			/**< pointer to allocated RAM */
+	size_t config_size;			/**< configuration size */
 	size_t iir_delay_size;			/**< allocated size */
 	eq_iir_func eq_iir_func;		/**< processing function */
 };

src/audio/eq_iir/eq_iir_generic.c

@@ -187,6 +187,7 @@ static int eq_iir_init_coef(struct processing_module *mod, int nch)
 	struct iir_state_df1 *iir = cd->iir;
 	struct sof_eq_iir_header *lookup[SOF_EQ_IIR_MAX_RESPONSES];
 	struct sof_eq_iir_header *eq;
+	int32_t coef_words_max;
 	int32_t *assign_response;
 	int32_t *coef_data;
 	int size_sum = 0;
@@ -210,17 +211,43 @@ static int eq_iir_init_coef(struct processing_module *mod, int nch)
 		return -EINVAL;
 	}
 
+	/* Compute the size of the coefficient area in int32_t words from the
+	 * blob's self-declared size. The blob layout is:
+	 *   sizeof(*config) header bytes
+	 *   channels_in_config int32_t assign_response[]
+	 *   coefficient data[]
+	 */
+	if (config->size < sizeof(*config) ||
+	    config->size - sizeof(*config) < config->channels_in_config * sizeof(int32_t)) {
+		comp_err(mod->dev, "config size %u too small", config->size);
+		return -EINVAL;
+	}
+	coef_words_max = (config->size - sizeof(*config)) / sizeof(int32_t) -
+		config->channels_in_config;
+
 	/* Collect index of response start positions in all_coefficients[]  */
 	j = 0;
 	assign_response = ASSUME_ALIGNED(&config->data[0], 4);
-	coef_data = ASSUME_ALIGNED(&config->data[config->channels_in_config],
-				   4);
+	coef_data = ASSUME_ALIGNED(&config->data[config->channels_in_config], 4);
 	for (i = 0; i < SOF_EQ_IIR_MAX_RESPONSES; i++) {
 		if (i < config->number_of_responses) {
+			/* Header must fit before reading num_sections */
+			if (j + SOF_EQ_IIR_NHEADER > coef_words_max) {
+				comp_err(mod->dev, "response %d header out of bounds", i);
+				return -EINVAL;
+			}
 			eq = (struct sof_eq_iir_header *)&coef_data[j];
+			/* Bound num_sections so the multiply cannot overflow
+			 * and the section data stays within the blob.
+			 */
+			if (eq->num_sections > SOF_EQ_IIR_BIQUADS_MAX || j + SOF_EQ_IIR_NHEADER +
+				SOF_EQ_IIR_NBIQUAD * eq->num_sections > coef_words_max) {
+				comp_err(mod->dev, "response %d num_sections %u out of bounds",
+					 i, eq->num_sections);
+				return -EINVAL;
+			}
 			lookup[i] = eq;
-			j += SOF_EQ_IIR_NHEADER
-				+ SOF_EQ_IIR_NBIQUAD * eq->num_sections;
+			j += SOF_EQ_IIR_NHEADER + SOF_EQ_IIR_NBIQUAD * eq->num_sections;
 		} else {
 			lookup[i] = NULL;
 		}
@@ -315,6 +342,11 @@ int eq_iir_setup(struct processing_module *mod, int nch)
 	struct comp_data *cd = module_get_private_data(mod);
 	int delay_size;
 
+	if (cd->config->size != cd->config_size) {
+		comp_err(mod->dev, "Incorrect configuration blob size");
+		return -EINVAL;
+	}
+
 	/* Free existing IIR channels data if it was allocated */
 	eq_iir_free_delaylines(mod);
 

src/math/iir_df1.c

@@ -16,11 +16,15 @@
 
 int iir_delay_size_df1(struct sof_eq_iir_header *config)
 {
-	int n = config->num_sections; /* One section uses two unit delays */
+	int n = config->num_sections; /* One section uses four unit delays */
 
 	if (n > SOF_EQ_IIR_BIQUADS_MAX || n < 1)
 		return -EINVAL;
 
+	if (config->num_sections_in_series > SOF_EQ_IIR_BIQUADS_MAX ||
+	    config->num_sections_in_series < 1)
+		return -EINVAL;
+
 	return 4 * n * sizeof(int32_t);
 }
 EXPORT_SYMBOL(iir_delay_size_df1);

src/math/iir_df2t.c

@@ -21,6 +21,10 @@ int iir_delay_size_df2t(struct sof_eq_iir_header *config)
 	if (n > SOF_EQ_IIR_BIQUADS_MAX || n < 1)
 		return -EINVAL;
 
+	if (config->num_sections_in_series > SOF_EQ_IIR_BIQUADS_MAX ||
+	    config->num_sections_in_series < 1)
+		return -EINVAL;
+
 	return 2 * n * sizeof(int64_t);
 }