On Mon, 22 Aug 2022 20:59:09 +0200, Pierre-Louis Bossart wrote: > > +#define SSP_BLOB_V1_0_SIZE 84 > +#define SSP_BLOB_V1_0_MDIVC_OFFSET 19 /* offset in u32 */ > +#define SSP_BLOB_V1_5_SIZE 96 > +#define SSP_BLOB_V1_5_MDIVC_OFFSET 21 /* offset in u32 */ This is 84 in bytes, which is equal with SSP_BLOB_V1_0_size. So... > + for (j = 0; j < fmt->fmt_count; j++) { > + u32 *blob; > + int mdivc_offset; > + > + if (cfg->config.size >= SSP_BLOB_V1_0_SIZE) { > + blob = (u32 *)cfg->config.caps; ... the size check is >= 84. If cfg->config.size==84, it may be an out-of-bound read at blob[SSP_BLOB_V1_5_MDIVC_OFFSET]? I don't think this would really matter in practice, but it's better to have a proper check, of course. thanks, Takashi