From 28e02fc3fdfa0e58ae0816e5e4501f51ef14cf37 Mon Sep 17 00:00:00 2001 From: "barry.jan" Date: Mon, 8 Apr 2024 16:47:11 +0800 Subject: [PATCH] waves: verify payload size and initialize memory to zero to the allocated memory in waves.c Enhance payload corruption handling by verifying size and make sure to have clean buffer before using it. Signed-off-by: barry.jan (cherry picked from commit 355e46f051dbd4493317662e13695685153c79b9) --- src/audio/module_adapter/module/waves.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/audio/module_adapter/module/waves.c b/src/audio/module_adapter/module/waves.c index b772ac14e525..9386ce3dc470 100644 --- a/src/audio/module_adapter/module/waves.c +++ b/src/audio/module_adapter/module/waves.c @@ -608,6 +608,7 @@ static int waves_effect_apply_config(struct processing_module *mod) /* incoming data in cfg->data is arranged according to struct module_param * there migh be more than one struct module_param inside cfg->data, glued back to back */ + const uint32_t header_size = sizeof(param->size) + sizeof(param->id); for (index = 0; index < cfg->size && (!ret); param_number++) { uint32_t param_data_size; @@ -617,6 +618,18 @@ static int waves_effect_apply_config(struct processing_module *mod) comp_info(dev, "waves_effect_apply_config() param num %d id %d size %d", param_number, param->id, param->size); + if ((param->size <= header_size) || (param->size > MAX_CONFIG_SIZE_BYTES)) { + comp_err(dev, "waves_effect_apply_config() invalid module_param size: %d", + param->size); + return -EINVAL; + } + + if ((index + param->size) > cfg->size) { + comp_err(dev, "waves_effect_apply_config() module_param size: %d exceeds cfg buffer size: %d", + param->size, cfg->size); + return -EINVAL; + } + switch (param->id) { case PARAM_NOP: comp_info(dev, "waves_effect_apply_config() NOP"); @@ -661,6 +674,7 @@ static int waves_codec_init(struct processing_module *mod) ret = -ENOMEM; goto err3; } else { + memset(waves_codec, 0, sizeof(struct waves_codec_data)); codec->private = waves_codec; ret = waves_effect_allocate(mod); if (ret) {