From ca8ccefe47a5f1822afe984ae12c9ddfda2e281f Mon Sep 17 00:00:00 2001 From: Liam Girdwood Date: Thu, 11 Jun 2026 13:07:54 +0100 Subject: [PATCH] dts: validate parameter size against remaining config blob The configuration parser advanced through packed parameters using a size field read from the blob without checking it against the bytes remaining, allowing reads past the configuration data. Track the remaining length and reject a header or parameter that does not fit. Signed-off-by: Liam Girdwood --- src/audio/codec/dts/dts.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/audio/codec/dts/dts.c b/src/audio/codec/dts/dts.c index cd1da3363517..bc4795055576 100644 --- a/src/audio/codec/dts/dts.c +++ b/src/audio/codec/dts/dts.c @@ -328,9 +328,15 @@ static int dts_codec_apply_config(struct processing_module *mod) /* Allow for multiple module_params to be packed into the data pointed to by config */ + param_header_size = sizeof(param->id) + sizeof(param->size); for (i = 0; i < config_data_size; param_number++) { + /* Need at least a param header in the remaining bytes to read id/size */ + if (config_data_size - i < param_header_size) { + comp_err(dev, "param header truncated"); + return -EINVAL; + } + param = (struct module_param *)((char *)config->data + i); - param_header_size = sizeof(param->id) + sizeof(param->size); /* If param->size is less than param_header_size, then this param is not valid */ if (param->size < param_header_size) { @@ -338,6 +344,13 @@ static int dts_codec_apply_config(struct processing_module *mod) return -EINVAL; } + /* The whole param (header + data) must fit in the remaining config data */ + if (param->size > config_data_size - i) { + comp_err(dev, "param size %u exceeds remaining %u", + param->size, config_data_size - i); + return -EINVAL; + } + /* Only process param->data if it has size greater than 0 */ if (param->size > param_header_size) { /* Calculate size of param->data */