sound/soc/sof/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
sof_parse_token_sets() accepts array->size values that can be invalid
for a vendor tuple array header. In particular, a zero size does not
advance the parser state and can lead to non-progress parsing on
malformed topology data.
Validate array->size against the minimum header size and reject values
smaller than sizeof(*array) before parsing. This preserves behavior for
valid topologies and hardens malformed-input handling.
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
sound/soc/sof/topology.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 18e2401152c8..35200d801fb7 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
asize = le32_to_cpu(array->size);
/* validate asize */
- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
+ if (asize < sizeof(*array)) {
dev_err(scomp->dev, "error: invalid array size 0x%x\n",
asize);
return -EINVAL;
---
base-commit: b3c48fa1fb397b490101785ddd87caf2e5513a66
change-id: 20260319-sof-topology-array-size-fix-e900a6b357bc
Best regards,
--
Cássio Gabriel <cassiogabrielcontato@gmail.com>
On Thu, 19 Mar 2026 21:45:26 -0300, Cássio Gabriel wrote:
> ASoC: SOF: topology: reject invalid vendor array size in token parser
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-7.0
Thanks!
[1/1] ASoC: SOF: topology: reject invalid vendor array size in token parser
https://git.kernel.org/broonie/sound/c/215e5fe75881
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark
On 20/03/2026 02:45, Cássio Gabriel wrote:
> sof_parse_token_sets() accepts array->size values that can be invalid
> for a vendor tuple array header. In particular, a zero size does not
> advance the parser state and can lead to non-progress parsing on
> malformed topology data.
>
> Validate array->size against the minimum header size and reject values
> smaller than sizeof(*array) before parsing. This preserves behavior for
> valid topologies and hardens malformed-input handling.
Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ---
> sound/soc/sof/topology.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 18e2401152c8..35200d801fb7 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
> asize = le32_to_cpu(array->size);
>
> /* validate asize */
> - if (asize < 0) { /* FIXME: A zero-size array makes no sense */
> + if (asize < sizeof(*array)) {
> dev_err(scomp->dev, "error: invalid array size 0x%x\n",
> asize);
> return -EINVAL;
>
> ---
> base-commit: b3c48fa1fb397b490101785ddd87caf2e5513a66
> change-id: 20260319-sof-topology-array-size-fix-e900a6b357bc
>
> Best regards,
--
Péter
© 2016 - 2026 Red Hat, Inc.