audio: tdfb: Improve robustness for invalid configuration

Add several validity checks against malformed configuration blobs and
malformed IPC control payloads:

- Verify that the self-declared config->size matches the size reported
  by the data-blob handler. The blob size is now stored in
  cd->config_size (set in both tdfb_prepare and the runtime blob-update
  path) so tdfb_init_coef can confirm the two agree before any further
  offset arithmetic that depends on config->size.
- Reject angle_enum_mult == 0, which would otherwise collapse the
  azimuth target computation to a constant.
- Reject filter_angles[].filter_index values that are negative or that
  would make the per-bank seek run past the total filter-block count.
- Reject negative input_channel_select[] entries; the field is int16_t
  and an untrusted blob can supply a value that bypasses the existing
  '> max_ch' check but is still used as an array index.
- Increase the local time-difference array in
  theoretical_time_differences() from PLATFORM_MAX_CHANNELS (4 or 8 per
  platform) to SOF_TDFB_MAX_MICROPHONES (16), matching the validated
  upper bound on num_mic_locations.
- Clamp cdata->num_elems to SOF_IPC_MAX_CHANNELS in the IPC3 GET
  handler so the chanv[] write loop cannot run past the payload,
  matching the volume_ipc3 convention.

Signed-off-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>

Author: singalsu

src/audio/tdfb/tdfb.c

@@ -323,6 +323,11 @@ static int tdfb_init_coef(struct processing_module *mod, int source_nch,
 	int i;
 
 	/* Sanity checks */
+	if (config->size != cd->config_size) {
+		comp_err(dev, "Incorrect configuration blob size");
+		return -EINVAL;
+	}
+
 	if (config->num_output_channels > PLATFORM_MAX_CHANNELS ||
 	    !config->num_output_channels) {
 		comp_err(dev, "invalid num_output_channels %d",
@@ -348,6 +353,11 @@ static int tdfb_init_coef(struct processing_module *mod, int source_nch,
 		return -EINVAL;
 	}
 
+	if (!config->angle_enum_mult) {
+		comp_err(dev, "invalid angle_enum_mult");
+		return -EINVAL;
+	}
+
 	if (config->beam_off_defined > 1) {
 		comp_err(dev, "invalid beam_off_defined %d",
 			 config->beam_off_defined);
@@ -423,6 +433,12 @@ static int tdfb_init_coef(struct processing_module *mod, int source_nch,
 			  cd->filter_angles[min_delta_idx].azimuth, idx);
 	}
 
+	if (idx < 0 || idx + (int)config->num_filters > num_filters) {
+		comp_err(dev, "invalid filter_index %d for angle %d",
+			 idx, cd->filter_angles[min_delta_idx].azimuth);
+		return -EINVAL;
+	}
+
 	/* Seek to proper filter for requested angle or beam off configuration */
 	coefp = tdfb_filter_seek(config, idx);
 
@@ -451,6 +467,11 @@ static int tdfb_init_coef(struct processing_module *mod, int source_nch,
 	for (i = 0; i < config->num_filters; i++) {
 		if (cd->input_channel_select[i] > max_ch)
 			max_ch = cd->input_channel_select[i];
+
+		if (cd->input_channel_select[i] < 0) {
+			comp_err(dev, "invalid channel select for filter %d", i);
+			return -EINVAL;
+		}
 	}
 
 	/* The stream must contain at least the number of channels that is
@@ -641,7 +662,7 @@ static int tdfb_process(struct processing_module *mod,
 
 	/* Check for changed configuration */
 	if (comp_is_new_data_blob_available(cd->model_handler)) {
-		cd->config = comp_get_data_blob(cd->model_handler, NULL, NULL);
+		cd->config = comp_get_data_blob(cd->model_handler, &cd->config_size, NULL);
 		ret = tdfb_setup(mod, audio_stream_get_channels(source),
 				 audio_stream_get_channels(sink),
 				 audio_stream_get_frm_fmt(source));
@@ -705,7 +726,6 @@ static int tdfb_prepare(struct processing_module *mod,
 	struct comp_buffer *sourceb, *sinkb;
 	struct comp_dev *dev = mod->dev;
 	enum sof_ipc_frame frame_fmt;
-	size_t data_size;
 	int source_channels;
 	int sink_channels;
 	int rate;
@@ -735,8 +755,8 @@ static int tdfb_prepare(struct processing_module *mod,
 	rate = audio_stream_get_rate(&sourceb->stream);
 
 	/* Initialize filter */
-	cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL);
-	if (!cd->config || !data_size) {
+	cd->config = comp_get_data_blob(cd->model_handler, &cd->config_size, NULL);
+	if (!cd->config || !cd->config_size) {
 		comp_err(dev, "Missing a configuration blob.");
 		ret = -EINVAL;
 		goto out;

src/audio/tdfb/tdfb_comp.h

@@ -88,6 +88,7 @@ struct tdfb_comp_data {
 	int16_t *output_stream_mix;         /**< for each FIR define stream */
 	int16_t az_value;		    /**< beam steer azimuth as in control enum */
 	int16_t az_value_estimate;	    /**< beam steer azimuth as in control enum */
+	size_t config_size;		    /**< size of the configuration blob */
 	size_t fir_delay_size;              /**< allocated size */
 	unsigned int max_frames;	    /**< max frames to process */
 	bool direction_updates:1;	    /**< set true if direction angle control is updated */

src/audio/tdfb/tdfb_direction.c

@@ -386,7 +386,7 @@ static int16_t distance_from_source(struct tdfb_comp_data *cd, int mic_n,
 
 static void theoretical_time_differences(struct tdfb_comp_data *cd, int16_t az)
 {
-	int16_t d[PLATFORM_MAX_CHANNELS];
+	int16_t d[SOF_TDFB_MAX_MICROPHONES];
 	int16_t src_x;
 	int16_t src_y;
 	int16_t sin_az;

src/audio/tdfb/tdfb_ipc3.c

@@ -112,6 +112,9 @@ static int tdfb_cmd_get_value(struct processing_module *mod, struct sof_ipc_ctrl
 {
 	struct tdfb_comp_data *cd = module_get_private_data(mod);
 
+	if (cdata->num_elems == 0 || cdata->num_elems > SOF_IPC_MAX_CHANNELS)
+		return -EINVAL;
+
 	switch (cdata->cmd) {
 	case SOF_CTRL_CMD_ENUM:
 		comp_dbg(mod->dev, "SOF_CTRL_CMD_ENUM index=%d",