ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

The convert_chmap_v3() has a loop with its increment size of
cs_desc->wLength, but we forgot to validate cs_desc->wLength itself,
which may lead to potential endless loop by a malformed descriptor.

Add a proper size check to abort the loop for plugging the hole.

Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260427152224.15276-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index f8f56ace56523550442e54bec2d73a185e2da71a..b2c5c8198281ad1e4d81a10b6c3cbceb77c87902 100644 (file)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -353,6 +353,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
                if (len < sizeof(*cs_desc))
                        break;
                cs_len = le16_to_cpu(cs_desc->wLength);
+               if (cs_len < sizeof(*cs_desc))
+                       break;
                if (len < cs_len)
                        break;
                cs_type = cs_desc->bSegmentType;