On (22/04/27 21:52), Peter Ujfalusi wrote: > It is possible to craft a topology where sof_get_control_data() would do > out of bounds access because it expects that it is only called when the > payload is bytes type. > Confusingly it also handles other types of controls, but the payload > parsing implementation is only valid for bytes. > > Fix the code to count the non bytes controls and instead of storing a > pointer to sof_abi_hdr in sof_widget_data (which is only valid for bytes), > store the pointer to the data itself and add a new member to save the size > of the data. > > In case of non bytes controls we store the pointer to the chanv itself, > which is just an array of values at the end. > > In case of bytes control, drop the wrong cdata->data (wdata[i].pdata) check > against NULL since it is incorrect and invalid in this context. > The data is pointing to the end of cdata struct, so it should never be > null. > > Reported-by: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx> > Signed-off-by: Peter Ujfalusi <peter.ujfalusi@xxxxxxxxxxxxxxx> FWIW Reviewed-by: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx> Tested-by: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>