HDA Specification doesn't enforce any limits on how much connections can be
provided, other than amount of bits, which is 8, meaning total of 256
connections is possible, while HDA_MAX_CONNECTIONS is only 32. This can
lead to out-of-bounds write when copying texts.

Commit 15b914476bf2 ("ASoC: hdac_hdmi: Use list to add pins and
converters") also mentions that 'future platforms may have a different
set of pins/converters' which might cause this issue to arise somewhere
in future, even if it doesn't arise right now.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 79f4e922b547 ("ASoC: hdac_hdmi: Create widget/route based on nodes enumerated")
Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
---
 sound/soc/codecs/hdac_hdmi.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c
index d8e83150ea28e..92fe199941d9d 100644
--- a/sound/soc/codecs/hdac_hdmi.c
+++ b/sound/soc/codecs/hdac_hdmi.c
@@ -974,6 +974,11 @@ static int hdac_hdmi_create_pin_port_muxs(struct hdac_device *hdev,
 	int i = 0;
 	int num_items = hdmi->num_cvt + 1;
 
+	if (num_items >= HDA_MAX_CONNECTIONS) {
+		dev_warn(&hdev->dev, "HDMI: too many connections!\n");
+		return -EINVAL;
+	}
+
 	kc = devm_kzalloc(&hdev->dev, sizeof(*kc), GFP_KERNEL);
 	if (!kc)
 		return -ENOMEM;
-- 
2.43.0