ASoC: topology: Add header payload_size verification

Add sanity check to make sure the data is read within file boundary.
Helps in situations where file is only partially copied or malformed.

Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20211015161257.27052-3-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index 7a4559d..e5352cc 100644 (file)
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -2438,6 +2438,7 @@ static int soc_tplg_manifest_load(struct soc_tplg *tplg,
                _manifest = manifest;
        } else {
                abi_match = false;
+
                ret = manifest_new_ver(tplg, manifest, &_manifest);
                if (ret < 0)
                        return ret;
@@ -2468,6 +2469,14 @@ static int soc_valid_header(struct soc_tplg *tplg,
                return -EINVAL;
        }
 
+       if (soc_tplg_get_hdr_offset(tplg) + hdr->payload_size >= tplg->fw->size) {
+               dev_err(tplg->dev,
+                       "ASoC: invalid header of type %d at offset %ld payload_size %d\n",
+                       le32_to_cpu(hdr->type), soc_tplg_get_hdr_offset(tplg),
+                       hdr->payload_size);
+               return -EINVAL;
+       }
+
        /* big endian firmware objects not supported atm */
        if (le32_to_cpu(hdr->magic) == SOC_TPLG_MAGIC_BIG_ENDIAN) {
                dev_err(tplg->dev,