--- /dev/null
+From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 29 Jan 2026 16:51:09 +0100
+Subject: [PATCH] topology: decoder - add boundary check for channel mixer
+ count
+
+Malicious binary topology file may cause heap corruption.
+
+CVE: CVE-2026-25068
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+
+Upstream-Status: Backport [https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/topology/ctl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/topology/ctl.c b/src/topology/ctl.c
+index a0c24518..322c461c 100644
+--- a/src/topology/ctl.c
++++ b/src/topology/ctl.c
+@@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
+ if (mc->num_channels > 0) {
+ map = tplg_calloc(heap, sizeof(*map));
+ map->num_channels = mc->num_channels;
++ if (map->num_channels > SND_TPLG_MAX_CHAN ||
++ map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
++ snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels);
++ return -EINVAL;
++ }
+ for (i = 0; i < map->num_channels; i++) {
+ map->channel[i].reg = mc->channel[i].reg;
+ map->channel[i].shift = mc->channel[i].shift;
projects / thirdparty / openembedded / openembedded-core.git / commitdiff
