From af49eb1d313a9498f9e62807d1b42e9f55a5a931 Mon Sep 17 00:00:00 2001
From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Date: Mon, 23 Mar 2026 17:10:33 +0200
Subject: [PATCH] topology: decoder: fix wrong sizeof for enum control
 allocation in dapm

The tplg_calloc() call for enum control in the dapm widget kcontrol
decode loop used sizeof(*mt) (mixer template) instead of sizeof(*et)
(enum template). On 64-bit systems, snd_tplg_mixer_template is 72 bytes
while snd_tplg_enum_template is 80 bytes, causing an 8-byte heap buffer
overflow when the enum fields (texts, values pointers) were written past
the allocated block. This resulted in heap corruption and e.g. glibc
malloc hit an assert.

Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
---
 src/topology/dapm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/topology/dapm.c b/src/topology/dapm.c
index d261b15b..04a57ddd 100644
--- a/src/topology/dapm.c
+++ b/src/topology/dapm.c
@@ -983,7 +983,7 @@ next:
 							 bin, size2);
 			break;
 		case SND_SOC_TPLG_TYPE_ENUM:
-			et = tplg_calloc(&heap, sizeof(*mt));
+			et = tplg_calloc(&heap, sizeof(*et));
 			if (et == NULL) {
 				err = -ENOMEM;
 				goto retval;