mirror of https://github.com/thesofproject/sof.git
c9e090ccf3
There may be a situation where size of all elements of the snd_tplg_vendor_array is greater than the private data size. If we take a look at array structure struct snd_soc_tplg_vendor_array { __le32 size; /* size in bytes of the array, including all elements */ __le32 type; /* SND_SOC_TPLG_TUPLE_TYPE_ */ __le32 num_elems; /* number of elements in array */ union { struct snd_soc_tplg_vendor_uuid_elem uuid[0]; struct snd_soc_tplg_vendor_value_elem value[0]; struct snd_soc_tplg_vendor_string_elem string[0]; }; } __attribute__((packed)); and assume of private data size is size. If num_elems * sizeof(..._elem) > size occurs, this is bad because, we first try to allocate _size_ bytes via malloc to array pointer. Since the num_elems * sizeof(..._elem) is greater than size, we get a segmentation fault when we try to memcpy the remaining size in the subsequent functions (read tplg_read_array()). We fix this problem by checking for whether array size falls within the bounds of private data size. Signed-off-by: Mohana Datta Yelugoti <ymdatta.work@gmail.com> |
||
---|---|---|
.github/ISSUE_TEMPLATE | ||
doc | ||
keys | ||
rimage@7317f2af39 | ||
scripts | ||
smex | ||
src | ||
test | ||
tools | ||
zephyr | ||
.gitignore | ||
.gitmodules | ||
.travis.yml | ||
CMakeLists.txt | ||
CODEOWNERS | ||
Kconfig | ||
LICENCE | ||
README.md |
README.md
Sound Open Firmware
Status
Documentation
See docs
Running the tests
See unit testing documentation
Deployment
TODO: Add additional notes about how to deploy this on a live system
Contributing
See Contributing to the Project
License
This project is licensed under the BSD Clause 3 - see the LICENCE file for details