From e5c0ba8630fd52ddb0ddfc829e816b92f86a2527 Mon Sep 17 00:00:00 2001 From: jmestwa-coder Date: Thu, 18 Jun 2026 12:33:45 +0530 Subject: [PATCH] tplg_parser: reject process priv blob smaller than abi header process_append_data3() subtracts sizeof(struct sof_abi_hdr) from the host-supplied priv.size as a size_t. A bytes control declaring priv.size below the ABI header underflows size, and the ipc_size check wraps along with it and passes, so the memcpy overruns process_ipc. Reject the undersized blob before the subtraction. Signed-off-by: jmestwa-coder --- tools/tplg_parser/process.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/tplg_parser/process.c b/tools/tplg_parser/process.c index 5f0d8cdddaf2..b5f18ca6d424 100644 --- a/tools/tplg_parser/process.c +++ b/tools/tplg_parser/process.c @@ -151,6 +151,10 @@ static int process_append_data3(void *_process_ipc, /* Size is process IPC plus private data minus ABI header */ bytes_ctl = (struct snd_soc_tplg_bytes_control *)ctl; + if (bytes_ctl->priv.size < sizeof(struct sof_abi_hdr)) { + fprintf(stderr, "error: process priv data smaller than ABI header\n"); + return -EINVAL; + } size = bytes_ctl->priv.size - sizeof(struct sof_abi_hdr); ipc_size = sizeof(struct sof_ipc_comp_process) + UUID_SIZE + process_ipc->size + size;