mirrors/alsa-lib
1
0
Fork 0
mirror of https://github.com/alsa-project/alsa-lib.git synced 2026-02-12 04:27:45 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

topology: decoder - add boundary check for channel mixer count
Some checks failed
Build alsa-lib / fedora_latest_build (push) Has been cancelled
Details
Build alsa-lib / ubuntu_last_build (push) Has been cancelled
Details

Browse source 
Malicious binary topology file may cause heap corruption.

CVE: CVE-2026-25068

Signed-off-by: Jaroslav Kysela <perex@perex.cz>
This commit is contained in:
Jaroslav Kysela 2026-01-29 16:51:09 +01:00
parent bc332f4211
commit 5f7fe33002
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/topology/ctl.c
View file

@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
if (mc->num_channels > 0) { if (mc->num_channels > 0) {
map = tplg_calloc(heap, sizeof(*map)); map = tplg_calloc(heap, sizeof(*map));
map->num_channels = mc->num_channels; map->num_channels = mc->num_channels;
if (map->num_channels > SND_TPLG_MAX_CHAN ||
map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels);
return -EINVAL;
}
for (i = 0; i < map->num_channels; i++) { for (i = 0; i < map->num_channels; i++) {
map->channel[i].reg = mc->channel[i].reg; map->channel[i].reg = mc->channel[i].reg;
map->channel[i].shift = mc->channel[i].shift; map->channel[i].shift = mc->channel[i].shift;