security: fix out-of-bounds read in AVB AECP AEM command handler

Memory Safety: High

The cmd_names[] array was indexed with a network-provided command type
value before the bounds check, allowing an out-of-bounds read when
processing crafted AVB network packets. Moved the bounds validation
before the array access to prevent reading past the end of the array.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/modules/module-avb/aecp-aem.c

@@ -427,15 +427,17 @@ int avb_aecp_aem_handle_command(struct aecp *aecp, const void *m, int len)
 
 	cmd_type = AVB_PACKET_AEM_GET_COMMAND_TYPE(p);
 
-	pw_log_info("mode: %s aem command %s",
-		get_avb_mode_str(server->avb_mode), cmd_names[cmd_type]);
-
 	if (cmd_info_modes[server->avb_mode].count <= cmd_type) {
-		pw_log_warn("Too many %d vs exp. %zu\n", cmd_type,
+		pw_log_warn("unknown aem command %d (max %zu)\n", cmd_type,
 			cmd_info_modes[server->avb_mode].count);
 		return reply_not_implemented(aecp, m, len);
 	}
 
+	pw_log_info("mode: %s aem command %s",
+		get_avb_mode_str(server->avb_mode),
+		cmd_type < SPA_N_ELEMENTS(cmd_names) && cmd_names[cmd_type]
+			? cmd_names[cmd_type] : "unknown");
+
 	info = &cmd_info_modes[server->avb_mode].cmd_info[cmd_type];
 	if (!info || !info->handle_command )
 		return reply_not_implemented(aecp, m, len);
@@ -453,8 +455,7 @@ int avb_aecp_aem_handle_command(struct aecp *aecp, const void *m, int len)
 	 * commands are always allowed regardless of lock state.
 	 */
 	if (!info->is_readonly && check_locked(aecp, now, p)) {
-		pw_log_info("aem command %s rejected: entity locked",
+		pw_log_info("aem command %d rejected: entity locked", cmd_type);
-			cmd_names[cmd_type]);
 		return reply_entity_locked(aecp, m, len);
 	}