[PATCH] ASoC: SOF: topology: reject invalid vendor array size in token parser

Next message: Li Jun: "[PATCH v4] LoongArch: env: fix missing NULL checks for kstrdup"
Previous message: LB F: "Re: [BUG] wifi: rtw88: Hard system freeze on RTL8821CE when power_save is enabled (LPS/ASPM conflict)"
Next in thread: P&#xE9;ter Ujfalusi: "Re: [PATCH] ASoC: SOF: topology: reject invalid vendor array size in token parser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Cássio Gabriel

Date: Thu Mar 19 2026 - 20:45:53 EST

sof_parse_token_sets() accepts array->size values that can be invalid
for a vendor tuple array header. In particular, a zero size does not
advance the parser state and can lead to non-progress parsing on
malformed topology data.

Validate array->size against the minimum header size and reject values
smaller than sizeof(*array) before parsing. This preserves behavior for
valid topologies and hardens malformed-input handling.

Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
---
sound/soc/sof/topology.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 18e2401152c8..35200d801fb7 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
asize = le32_to_cpu(array->size);

/* validate asize */
- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
+ if (asize < sizeof(*array)) {
dev_err(scomp->dev, "error: invalid array size 0x%x\n",
asize);
return -EINVAL;

---
base-commit: b3c48fa1fb397b490101785ddd87caf2e5513a66
change-id: 20260319-sof-topology-array-size-fix-e900a6b357bc

Best regards,
--
Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>