audio: copier: fix channel and memcpy validation#10897
Merged
kv2019i merged 2 commits intoJun 17, 2026
Merged
Conversation
channels is host-controlled (8-bit, 0-255). Without validation it drives the memcpy length (channels * sizeof(uint16_t)) against a MAX_GAIN_COEFFS_CNT-sized stack buffer and, for channels == 0, causes divide-by-zero in the coefficient replication loop. Reject values outside [1, MAX_GAIN_COEFFS_CNT]. Signed-off-by: Adrian Bonislawski <adrian.bonislawski@intel.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates copier gain DMA control to use an unsigned channel count, adds explicit channel-count validation, and fixes memcpy_s destination size validation to prevent incorrect bounds checking.
Changes:
- Switch
channelsparameter/type frominttouint32_tfor copier gain configuration. - Add runtime validation for
channels(non-zero and withinMAX_GAIN_COEFFS_CNT). - Correct
memcpy_susage by passing the full destination buffer size.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/audio/copier/copier_gain.h | Updates copier_set_gain() API to take uint32_t channels. |
| src/audio/copier/copier_gain.c | Uses uint32_t channels, validates range, and fixes memcpy_s destination size argument. |
abonislawski
force-pushed
the
fix/copier_set_gain_channels
branch
from
522d046 to
466596f
Compare
lgirdwood
approved these changes
Jun 12, 2026
singalsu
approved these changes
Jun 15, 2026
lyakh
reviewed
Jun 16, 2026
|
|
||
| struct ipc4_copier_module_cfg *copier_cfg = cd->dd[0]->dai_spec_config; | ||
| const int channels = copier_cfg->base.audio_fmt.channels_count; | ||
| const uint32_t channels = copier_cfg->base.audio_fmt.channels_count; |
Collaborator
There was a problem hiding this comment.
unsigned int would do too. In the function prototype too of course.
tmleman
approved these changes
Jun 16, 2026
The first memcpy_s call passed gain_coef_size (= channels * sizeof(uint16_t), host-controlled) as the dest_size argument, defeating the bounds check. Pass sizeof(static_gain) — the true buffer capacity so memcpy_s can enforce the limit. Signed-off-by: Adrian Bonislawski <adrian.bonislawski@intel.com>
abonislawski
force-pushed
the
fix/copier_set_gain_channels
branch
from
466596f to
a0e659f
Compare
Member
Author
|
Just rerun, no changes |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.