ASoC: topology: Add header payload_size verification

[sfrench/cifs-2.6.git] / sound / soc / soc-topology.c

diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index 7a4559ddf90353dcb39515d0c98df04431d130f1..e5352cc6524fbca98bd133857487b5ae1ef8b8ad 100644 (file)
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -2438,6 +2438,7 @@ static int soc_tplg_manifest_load(struct soc_tplg *tplg,
                _manifest = manifest;
        } else {
                abi_match = false;
+
                ret = manifest_new_ver(tplg, manifest, &_manifest);
                if (ret < 0)
                        return ret;
@@ -2468,6 +2469,14 @@ static int soc_valid_header(struct soc_tplg *tplg,
                return -EINVAL;
        }
 
+       if (soc_tplg_get_hdr_offset(tplg) + hdr->payload_size >= tplg->fw->size) {
+               dev_err(tplg->dev,
+                       "ASoC: invalid header of type %d at offset %ld payload_size %d\n",
+                       le32_to_cpu(hdr->type), soc_tplg_get_hdr_offset(tplg),
+                       hdr->payload_size);
+               return -EINVAL;
+       }
+
        /* big endian firmware objects not supported atm */
        if (le32_to_cpu(hdr->magic) == SOC_TPLG_MAGIC_BIG_ENDIAN) {
                dev_err(tplg->dev,