From 45d7e4158549188feaeeffa8b86455a44757a0d6 Mon Sep 17 00:00:00 2001 From: Liam Girdwood Date: Thu, 11 Jun 2026 13:08:12 +0100 Subject: [PATCH] logger: account for entry size in uuid pointer bounds check The uuid pointer bounds check did not reserve space for the full entry, so a pointer near the end of the region could read an entry straddling the buffer end. Require a whole entry to fit before dereferencing. Signed-off-by: Liam Girdwood --- tools/logger/convert.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/logger/convert.c b/tools/logger/convert.c index 4e0a6cdc59ae..834ee5a1b243 100644 --- a/tools/logger/convert.c +++ b/tools/logger/convert.c @@ -126,8 +126,14 @@ static const char *format_uid(uint32_t uid_ptr, int use_colors, bool be, bool up const struct sof_uuid_entry *uid_entry; char *str; + /* + * The whole struct sof_uuid_entry is read at uid_ptr, so require that + * many bytes to remain in the uids region; a bare ">=" upper bound + * would accept a pointer whose entry straddles the end of the buffer. + */ if (uid_ptr < uids_dict->base_address || - uid_ptr >= uids_dict->base_address + uids_dict->data_length) { + uid_ptr + sizeof(struct sof_uuid_entry) > + uids_dict->base_address + uids_dict->data_length) { str = calloc(1, strlen(BAD_PTR_STR) + 1 + 6); if (!str) { log_err("can't allocate memory\n");