From 3dd202c7e531ed97e00343a9a5e59413b4e87a82 Mon Sep 17 00:00:00 2001
From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Date: Thu, 11 Jun 2026 14:31:42 +0100
Subject: [PATCH 1/2] tplg: reject zero-size vendor array

A vendor array with zero size never advanced the parse cursor, looping
forever on a malformed topology. Reject a zero-size array.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
---
 tools/tplg_parser/object.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tools/tplg_parser/object.c b/tools/tplg_parser/object.c
index 4592031c7c01..ddc31e96f896 100644
--- a/tools/tplg_parser/object.c
+++ b/tools/tplg_parser/object.c
@@ -62,6 +62,14 @@ int tplg_create_object(struct tplg_context *ctx,
 			return -EINVAL;
 		}
 
+		/* a zero-size array never advances the cursor below: bail out
+		 * instead of looping forever on a malformed topology
+		 */
+		if (array->size == 0) {
+			fprintf(stderr, "error: load %s zero-size array\n", name);
+			return -EINVAL;
+		}
+
 		for (i = 0; i < ipc->num_groups; i++) {
 			const struct sof_topology_token *tokens = ipc->grp[i].tokens;
 			int num_tokens = ipc->grp[i].num_tokens;

From 1de3b5bec921488b1025c0cb7cd0f0a7664bd698 Mon Sep 17 00:00:00 2001
From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Date: Thu, 11 Jun 2026 14:31:42 +0100
Subject: [PATCH 2/2] tplg: reject undersized process private data

The private-data size had the ABI header length subtracted without
checking it was at least that large, underflowing the computed size.
Reject private data smaller than the header in both append paths.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
---
 tools/tplg_parser/process.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tools/tplg_parser/process.c b/tools/tplg_parser/process.c
index 5f0d8cdddaf2..97f7f5b7022b 100644
--- a/tools/tplg_parser/process.c
+++ b/tools/tplg_parser/process.c
@@ -151,6 +151,11 @@ static int process_append_data3(void *_process_ipc,
 
 	/* Size is process IPC plus private data minus ABI header */
 	bytes_ctl = (struct snd_soc_tplg_bytes_control *)ctl;
+	if (bytes_ctl->priv.size < sizeof(struct sof_abi_hdr)) {
+		fprintf(stderr, "error: process priv data too small: %u\n",
+			bytes_ctl->priv.size);
+		return -EINVAL;
+	}
 	size = bytes_ctl->priv.size - sizeof(struct sof_abi_hdr);
 	ipc_size = sizeof(struct sof_ipc_comp_process) + UUID_SIZE +
 			process_ipc->size + size;
@@ -184,6 +189,11 @@ static int process_append_data4(void *_process_ipc,
 
 	/* Size is process IPC plus private data minus ABI header */
 	bytes_ctl = (struct snd_soc_tplg_bytes_control *)ctl;
+	if (bytes_ctl->priv.size < sizeof(struct sof_abi_hdr)) {
+		fprintf(stderr, "error: process priv data too small: %u\n",
+			bytes_ctl->priv.size);
+		return -EINVAL;
+	}
 	size = bytes_ctl->priv.size - sizeof(struct sof_abi_hdr);
 
 	/* validate if everything will fit */