From 57feb0ce6b006e402a01cbe03061597b8cc70b8a Mon Sep 17 00:00:00 2001
From: "barry.jan" <barry.jan@waves.com>
Date: Mon, 8 Apr 2024 16:47:11 +0800
Subject: [PATCH] waves: verify payload size and initialize memory to zero to
 the        allocated memory in waves.c

    Enhance payload corruption handling by verifying size
    and make sure to have clean buffer before using it.

Signed-off-by: barry.jan <barry.jan@waves.com>
---
 src/audio/module_adapter/module/waves/waves.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/audio/module_adapter/module/waves/waves.c b/src/audio/module_adapter/module/waves/waves.c
index 44a7545149a5..60a574f64067 100644
--- a/src/audio/module_adapter/module/waves/waves.c
+++ b/src/audio/module_adapter/module/waves/waves.c
@@ -601,6 +601,7 @@ static int waves_effect_apply_config(struct processing_module *mod)
 	/* incoming data in cfg->data is arranged according to struct module_param
 	 * there migh be more than one struct module_param inside cfg->data, glued back to back
 	 */
+	const uint32_t header_size = sizeof(param->size) + sizeof(param->id);
 	for (index = 0; index < cfg->size && (!ret); param_number++) {
 		uint32_t param_data_size;
 
@@ -610,6 +611,18 @@ static int waves_effect_apply_config(struct processing_module *mod)
 		comp_info(dev, "waves_effect_apply_config() param num %d id %d size %d",
 			  param_number, param->id, param->size);
 
+		if ((param->size <= header_size) || (param->size > MAX_CONFIG_SIZE_BYTES)) {
+			comp_err(dev, "waves_effect_apply_config() invalid module_param size: %d",
+				param->size);
+			return -EINVAL;
+		}
+
+		if ((index + param->size) > cfg->size) {
+			comp_err(dev, "waves_effect_apply_config() module_param size: %d exceeds cfg buffer size: %d",
+				param->size, cfg->size);
+			return -EINVAL;
+		}
+
 		switch (param->id) {
 		case PARAM_NOP:
 			comp_info(dev, "waves_effect_apply_config() NOP");
@@ -653,6 +666,7 @@ static int waves_codec_init(struct processing_module *mod)
 			 sizeof(struct waves_codec_data));
 		ret = -ENOMEM;
 	} else {
+		memset(waves_codec, 0, sizeof(struct waves_codec_data));
 		codec->private = waves_codec;
 		ret = waves_effect_allocate(mod);
 		if (ret) {