pcm_converter: reject out-of-range channel map at runtime#10918
Open
lgirdwood wants to merge 1 commit into
Open
pcm_converter: reject out-of-range channel map at runtime#10918lgirdwood wants to merge 1 commit into
lgirdwood wants to merge 1 commit into
Conversation
The remap routines validated the source channel nibble only with an assert, which is compiled out in release builds. Fold the bound into the existing mute path so an out-of-range nibble mutes the output instead of indexing past the source frame. Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
lgirdwood
requested review from
dbaluta,
kv2019i,
lbetlej,
mmaka1 and
plbossart
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR hardens PCM channel remapping by handling out-of-range channel-map nibbles at runtime (instead of relying on assert()), preventing potential out-of-bounds reads in release builds by muting invalid mappings.
Changes:
- Treat out-of-range
chmapnibbles as “mute” during remap to avoid indexing past the source frame. - Remove
assert(src_channel < num_src_channels)checks that were ineffective in release builds. - Apply the same guard behavior across multiple remap variants (c16/c32 and shift/convert paths).
Comment on lines
+71
to
77
| /* 0xf means "mute"; also mute any out-of-range source channel so | ||
| * a crafted chmap nibble cannot index past the source frame. | ||
| */ | ||
| if (src_channel == 0xf || src_channel >= num_src_channels) { | ||
| mute_channel_c16(sink, sink_channel, frames); | ||
| continue; | ||
| } |
Contributor
There was a problem hiding this comment.
Copilot has a point, but in any case this is an improvement over earlier state of things.
jsarha
approved these changes
Jun 15, 2026
Comment on lines
+71
to
77
| /* 0xf means "mute"; also mute any out-of-range source channel so | ||
| * a crafted chmap nibble cannot index past the source frame. | ||
| */ | ||
| if (src_channel == 0xf || src_channel >= num_src_channels) { | ||
| mute_channel_c16(sink, sink_channel, frames); | ||
| continue; | ||
| } |
Contributor
There was a problem hiding this comment.
Copilot has a point, but in any case this is an improvement over earlier state of things.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The remap routines validated the host-supplied channel-map nibble only with
an
assert(), which is compiled out in release builds, so an out-of-rangevalue could index past the source frame in production. Fold the bound into
the existing "mute" path so an out-of-range nibble mutes the output instead
of reading out of bounds.
No functional change for valid configurations.