From 40dc14785bc7c1c59b1e674cb9ff9f934cabe843 Mon Sep 17 00:00:00 2001 From: Liam Girdwood Date: Thu, 11 Jun 2026 14:30:13 +0100 Subject: [PATCH 1/3] dcblock: require blob to cover coefficients before copy The coefficient copy always read a fixed number of bytes from the config blob regardless of its actual size, over-reading adjacent heap for a short blob. Fall back to passthrough unless the blob holds the whole coefficient array. Signed-off-by: Liam Girdwood --- src/audio/dcblock/dcblock.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/audio/dcblock/dcblock.c b/src/audio/dcblock/dcblock.c index 5f0935a2bc29..15e6139b7a89 100644 --- a/src/audio/dcblock/dcblock.c +++ b/src/audio/dcblock/dcblock.c @@ -205,7 +205,11 @@ static int dcblock_prepare(struct processing_module *mod, cd->source_format, cd->sink_format); cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL); - if (cd->config && data_size > 0) + /* dcblock_copy_coefficients() copies sizeof(R_coeffs) from the blob, so + * require the blob to actually hold that many bytes; fall back to + * passthrough otherwise instead of over-reading the blob + */ + if (cd->config && data_size >= sizeof(cd->R_coeffs)) dcblock_copy_coefficients(mod); else dcblock_set_passthrough(mod); From acd2564f092b89b7e696b9896e44d6bdb32e001e Mon Sep 17 00:00:00 2001 From: Liam Girdwood Date: Thu, 11 Jun 2026 14:30:13 +0100 Subject: [PATCH 2/3] drc: validate config blob size before use DRC setup dereferenced the config blob as a fixed struct without verifying the blob was at least that large, over-reading adjacent heap for a short blob. Require the blob to cover the config struct. Signed-off-by: Liam Girdwood --- src/audio/drc/drc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/audio/drc/drc.c b/src/audio/drc/drc.c index 007336fb2115..7fe86ce01c56 100644 --- a/src/audio/drc/drc.c +++ b/src/audio/drc/drc.c @@ -353,7 +353,10 @@ static int drc_prepare(struct processing_module *mod, /* Initialize DRC */ comp_info(dev, "source_format=%d", cd->source_format); cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL); - if (cd->config && data_size > 0) { + /* the blob is dereferenced as a struct sof_drc_config below and in + * drc_setup(), so require it to be at least that large + */ + if (cd->config && data_size >= sizeof(struct sof_drc_config)) { ret = drc_setup(mod, channels, rate); if (ret < 0) { comp_err(dev, "error: drc_setup failed."); From 77fd9ef973bb2432ac770cb93b0f0e82186af1c8 Mon Sep 17 00:00:00 2001 From: Liam Girdwood Date: Thu, 11 Jun 2026 14:30:37 +0100 Subject: [PATCH 3/3] multiband_drc: validate config blob covers all bands Setup read a base config struct and per-band coefficients from the blob without a size check, over-reading for a short blob. Require the blob to cover the base struct and num_bands band entries. Signed-off-by: Liam Girdwood --- src/audio/multiband_drc/multiband_drc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/audio/multiband_drc/multiband_drc.c b/src/audio/multiband_drc/multiband_drc.c index 84a079134ea1..1c36c4e5c184 100644 --- a/src/audio/multiband_drc/multiband_drc.c +++ b/src/audio/multiband_drc/multiband_drc.c @@ -369,7 +369,14 @@ static int multiband_drc_prepare(struct processing_module *mod, comp_dbg(dev, "source_format=%d, sink_format=%d", cd->source_format, cd->source_format); cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL); - if (cd->config && data_size > 0) { + /* the blob holds a base struct followed by num_bands variable-length + * band coefficients; require the base struct first, then the full + * per-band payload, so setup cannot read past the blob + */ + if (cd->config && data_size >= sizeof(struct sof_multiband_drc_config) && + cd->config->num_bands <= SOF_MULTIBAND_DRC_MAX_BANDS && + data_size >= sizeof(struct sof_multiband_drc_config) + + (size_t)cd->config->num_bands * sizeof(struct sof_drc_params)) { ret = multiband_drc_setup(mod, channels, rate); if (ret < 0) { comp_err(dev, "error: multiband_drc_setup failed.");