diff options
| author | Cássio Gabriel <cassiogabrielcontato@gmail.com> | 2026-03-19 21:45:26 -0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-03-20 12:52:41 +0000 |
| commit | 215e5fe75881a7e2425df04aeeed47a903d5cd5d (patch) | |
| tree | 6c36edefffe9a94f639f9b70432371a187fb2ee0 /sound | |
| parent | a437601a0a1383260222223440a95dd4322eb7fa (diff) | |
ASoC: SOF: topology: reject invalid vendor array size in token parser
sof_parse_token_sets() accepts array->size values that can be invalid
for a vendor tuple array header. In particular, a zero size does not
advance the parser state and can lead to non-progress parsing on
malformed topology data.
Validate array->size against the minimum header size and reject values
smaller than sizeof(*array) before parsing. This preserves behavior for
valid topologies and hardens malformed-input handling.
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'sound')
| -rw-r--r-- | sound/soc/sof/topology.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c index 18e2401152c8..35200d801fb7 100644 --- a/sound/soc/sof/topology.c +++ b/sound/soc/sof/topology.c @@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp, asize = le32_to_cpu(array->size); /* validate asize */ - if (asize < 0) { /* FIXME: A zero-size array makes no sense */ + if (asize < sizeof(*array)) { dev_err(scomp->dev, "error: invalid array size 0x%x\n", asize); return -EINVAL; |