git.ipfire.org Git - thirdparty/linux.git/commit

author	Cássio Gabriel <cassiogabrielcontato@gmail.com>
	Wed, 3 Jun 2026 17:57:54 +0000 (14:57 -0300)
committer	Mark Brown <broonie@kernel.org>
	Wed, 10 Jun 2026 11:06:35 +0000 (12:06 +0100)
commit	8468dd79cfb2ffbdeaf7c353f63d64941cb8ba05
tree	35459254645d7b8ebbd218cbe85b2d6d246097eb	tree \| snapshot
parent	fc10b96e964ee1a7e218720652efa4447f148649	commit \| diff

ASoC: SOF: topology: validate vendor array size before parsing

sof_parse_token_sets() reads array->size while iterating over topology
private data. The loop condition only checks that some data remains, so a
malformed topology with a truncated trailing vendor array can make the
parser read the size field before a full vendor-array header is available.

Validate that the remaining private data contains a complete
snd_soc_tplg_vendor_array header before reading array->size.

The declared array size check also needs to remain signed. asize is an int,
but sizeof(*array) has type size_t, so comparing them directly promotes
negative asize values to unsigned and lets them pass the check,
as reported in the stable review thread reference below.

Cast sizeof(*array) to int when validating the declared array size. This
rejects negative, zero and otherwise too-small sizes before the parser
dispatches to the tuple-specific code.

Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@mail.gmail.com/t/#m9b3be379221e79327cc13fd71009287368ef4f23
Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260603-sof-topology-array-size-signed-v1-1-84f97879a4ef@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>