Skip to content

drc: validate host config blob sizes (dcblock, drc, multiband_drc) #10930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kv2019i merged 3 commits into from
Jun 18, 2026
+17 −3
Merged

drc: validate host config blob sizes (dcblock, drc, multiband_drc) #10930

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
40dc147
dcblock: require blob to cover coefficients before copy
lrgirdwo Jun 11, 2026
acd2564
drc: validate config blob size before use
lrgirdwo Jun 11, 2026
77fd9ef
multiband_drc: validate config blob covers all bands
lrgirdwo Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion src/audio/dcblock/dcblock.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,11 @@ static int dcblock_prepare(struct processing_module *mod,
cd->source_format, cd->sink_format);

cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL);
if (cd->config && data_size > 0)
/* dcblock_copy_coefficients() copies sizeof(R_coeffs) from the blob, so
* require the blob to actually hold that many bytes; fall back to
* passthrough otherwise instead of over-reading the blob
*/
if (cd->config && data_size >= sizeof(cd->R_coeffs))
dcblock_copy_coefficients(mod);
else
dcblock_set_passthrough(mod);
Comment on lines +212 to 215

@lgirdwood lgirdwood Jun 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed it's safe but silent — I left it matching the existing passthrough fallback, but a comp_warn() when the blob is non-NULL yet too small is a reasonable addition. Happy to add it if you want it in this PR.

Expand Down
5 changes: 4 additions & 1 deletion src/audio/drc/drc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,10 @@ static int drc_prepare(struct processing_module *mod,
/* Initialize DRC */
comp_info(dev, "source_format=%d", cd->source_format);
cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL);
if (cd->config && data_size > 0) {
/* the blob is dereferenced as a struct sof_drc_config below and in
* drc_setup(), so require it to be at least that large
*/
if (cd->config && data_size >= sizeof(struct sof_drc_config)) {
ret = drc_setup(mod, channels, rate);
Comment on lines +356 to 360

@lgirdwood lgirdwood Jun 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as multiband_drc: the existing code already falls back to pass-through (drc_default_pass) when there's no usable config, so an undersized blob takes that same safe path rather than failing prepare(). Can add a comp_warn() for diagnosability if you'd like.

if (ret < 0) {
comp_err(dev, "error: drc_setup failed.");
Expand Down
9 changes: 8 additions & 1 deletion src/audio/multiband_drc/multiband_drc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,14 @@ static int multiband_drc_prepare(struct processing_module *mod,
comp_dbg(dev, "source_format=%d, sink_format=%d",
cd->source_format, cd->source_format);
cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL);
if (cd->config && data_size > 0) {
/* the blob holds a base struct followed by num_bands variable-length
* band coefficients; require the base struct first, then the full
* per-band payload, so setup cannot read past the blob
*/
if (cd->config && data_size >= sizeof(struct sof_multiband_drc_config) &&
cd->config->num_bands <= SOF_MULTIBAND_DRC_MAX_BANDS &&
data_size >= sizeof(struct sof_multiband_drc_config) +
(size_t)cd->config->num_bands * sizeof(struct sof_drc_params)) {
Comment on lines +372 to +379

@lgirdwood lgirdwood Jun 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

num_bands is bounded to SOF_MULTIBAND_DRC_MAX_BANDS before the multiplication (the && short-circuits left-to-right), so num_bands * sizeof(band) is at most MAX_BANDS * a small struct — it can't overflow size_t. The first term also requires data_size >= sizeof(base) before num_bands is even read.

ret = multiband_drc_setup(mod, channels, rate);
Comment on lines +376 to 380

@lgirdwood lgirdwood Jun 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This matches the component's existing behaviour: an absent/!enabled config leaves it in passthrough rather than failing prepare(), so a too-small blob is treated the same way (skip setup, run passthrough). I kept that to avoid changing the failure semantics, but I'm happy to add a comp_warn() so a malformed blob is visible in the logs if you'd prefer.

if (ret < 0) {
comp_err(dev, "error: multiband_drc_setup failed.");
Expand Down
Loading