mirror of https://github.com/thesofproject/sof.git
c9e090ccf3
There may be a situation where size of all elements of the
snd_tplg_vendor_array is greater than the private data size.
If we take a look at array structure
struct snd_soc_tplg_vendor_array {
__le32 size; /* size in bytes of the array, including all elements */
__le32 type; /* SND_SOC_TPLG_TUPLE_TYPE_ */
__le32 num_elems; /* number of elements in array */
union {
struct snd_soc_tplg_vendor_uuid_elem uuid[0];
struct snd_soc_tplg_vendor_value_elem value[0];
struct snd_soc_tplg_vendor_string_elem string[0];
};
} __attribute__((packed));
and assume of private data size is size.
If num_elems * sizeof(..._elem) > size occurs, this is bad
because, we first try to allocate _size_ bytes via malloc to array
pointer. Since the num_elems * sizeof(..._elem) is greater than
size, we get a segmentation fault when we try to memcpy the
remaining size in the subsequent functions (read tplg_read_array()).
We fix this problem by checking for whether array size falls
within the bounds of private data size.
Signed-off-by: Mohana Datta Yelugoti <ymdatta.work@gmail.com>
|
||
|---|---|---|
| .github/ISSUE_TEMPLATE | ||
| doc | ||
| keys | ||
| rimage@7317f2af39 | ||
| scripts | ||
| smex | ||
| src | ||
| test | ||
| tools | ||
| zephyr | ||
| .gitignore | ||
| .gitmodules | ||
| .travis.yml | ||
| CMakeLists.txt | ||
| CODEOWNERS | ||
| Kconfig | ||
| LICENCE | ||
| README.md | ||
README.md
Sound Open Firmware
Status
Documentation
See docs
Running the tests
See unit testing documentation
Deployment
TODO: Add additional notes about how to deploy this on a live system
Contributing
See Contributing to the Project
License
This project is licensed under the BSD Clause 3 - see the LICENCE file for details