audio: module_adapter_ipc4: add range check to module_get_large_config()

In a multi-block get case, if the host sends data_off_size > md->cfg.size,
the calculation of the last fragment size is incorrect if a sufficiently
large value is passed.

Add validation to catch this case and return an error data_off_size is too
large.

Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>

Author: kv2019i

src/audio/module_adapter/module_adapter_ipc4.c

@@ -263,10 +263,22 @@ int module_get_large_config(struct comp_dev *dev, uint32_t param_id, bool first_
 		else
 			fragment_size = SOF_IPC_MSG_MAX_SIZE;
 	} else {
-		if (!last_block)
+		if (!last_block) {
 			fragment_size = SOF_IPC_MSG_MAX_SIZE;
-		else
+		} else {
+			/*
+			 * *data_offset_size is host-supplied (the IPC4 data_off_size
+			 * field) and both operands are unsigned, so reject an offset
+			 * past the config size to avoid the subtraction underflowing
+			 * into a huge fragment_size passed to get_configuration().
+			 */
+			if (*data_offset_size > md->cfg.size) {
+				comp_err(dev, "invalid data_offset_size %u > cfg size %zu",
+					 *data_offset_size, md->cfg.size);
+				return -EINVAL;
+			}
 			fragment_size = md->cfg.size - *data_offset_size;
+		}
 	}
 
 	if (interface->get_configuration)