Re: [PATCH] ASoC: SOF: topology: reject invalid vendor array size in token parser

Next message: Alexander Wilhelm: "ath12k: desc_va endianness problem"
Previous message: Omer El Idrissi: "[PATCH v2] staging: rtl8723bs: change error handling to use standard errno"
In reply to: C&#xE1;ssio Gabriel: "[PATCH] ASoC: SOF: topology: reject invalid vendor array size in token parser"
Next in thread: Mark Brown: "Re: [PATCH] ASoC: SOF: topology: reject invalid vendor array size in token parser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Péter Ujfalusi

Date: Fri Mar 20 2026 - 05:53:43 EST

On 20/03/2026 02:45, Cássio Gabriel wrote:
> sof_parse_token_sets() accepts array->size values that can be invalid
> for a vendor tuple array header. In particular, a zero size does not
> advance the parser state and can lead to non-progress parsing on
> malformed topology data.
>
> Validate array->size against the minimum header size and reject values
> smaller than sizeof(*array) before parsing. This preserves behavior for
> valid topologies and hardens malformed-input handling.

Acked-by: Peter Ujfalusi <peter.ujfalusi@xxxxxxxxxxxxxxx>

> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
> ---
> sound/soc/sof/topology.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 18e2401152c8..35200d801fb7 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
> asize = le32_to_cpu(array->size);
>
> /* validate asize */
> - if (asize < 0) { /* FIXME: A zero-size array makes no sense */
> + if (asize < sizeof(*array)) {
> dev_err(scomp->dev, "error: invalid array size 0x%x\n",
> asize);
> return -EINVAL;
>
> ---
> base-commit: b3c48fa1fb397b490101785ddd87caf2e5513a66
> change-id: 20260319-sof-topology-array-size-fix-e900a6b357bc
>
> Best regards,

--
Péter