-
Notifications
You must be signed in to change notification settings - Fork 50
Expand file tree
/
Copy pathCVE-2026-25068.patch
More file actions
36 lines (31 loc) · 1.27 KB
/
CVE-2026-25068.patch
File metadata and controls
36 lines (31 loc) · 1.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
From 0bb8a3f223be367ec0db859577d15ad366f0fb48 Mon Sep 17 00:00:00 2001
From: Jaroslav Kysela <perex@perex.cz>
Date: Thu, 29 Jan 2026 16:51:09 +0100
Subject: [PATCH] topology: decoder - add boundary check for channel mixer
count
Malicious binary topology file may cause heap corruption.
CVE: CVE-2026-25068
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40.patch
---
src/topology/ctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/topology/ctl.c b/src/topology/ctl.c
index dd05424..311dd05 100644
--- a/src/topology/ctl.c
+++ b/src/topology/ctl.c
@@ -1246,6 +1246,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
if (mc->num_channels > 0) {
map = tplg_calloc(heap, sizeof(*map));
map->num_channels = mc->num_channels;
+ if (map->num_channels > SND_TPLG_MAX_CHAN ||
+ map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
+ SNDERR("mixer: unexpected channel count %d", map->num_channels);
+ return -EINVAL;
+ }
for (i = 0; i < map->num_channels; i++) {
map->channel[i].reg = mc->channel[i].reg;
map->channel[i].shift = mc->channel[i].shift;
--
2.45.4