From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Date: Mon, 23 Mar 2026 15:10:33 +0000 (+0200)
Subject: topology: decoder: fix wrong sizeof for enum control allocation in dapm
X-Git-Tag: v1.2.16~10
X-Git-Url: https://git.alsa-project.org/?a=commitdiff_plain;h=eebca4c0b0a7c2561255aa54b1e66b2e695b7c2b;p=alsa-lib.git

topology: decoder: fix wrong sizeof for enum control allocation in dapm

The tplg_calloc() call for enum control in the dapm widget kcontrol
decode loop used sizeof(*mt) (mixer template) instead of sizeof(*et)
(enum template). On 64-bit systems, snd_tplg_mixer_template is 72 bytes
while snd_tplg_enum_template is 80 bytes, causing an 8-byte heap buffer
overflow when the enum fields (texts, values pointers) were written past
the allocated block. This resulted in heap corruption and e.g. glibc
malloc hit an assert.

Closes: https://github.com/alsa-project/alsa-lib/pull/501
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
---

diff --git a/src/topology/dapm.c b/src/topology/dapm.c
index d261b15b..04a57ddd 100644
--- a/src/topology/dapm.c
+++ b/src/topology/dapm.c
@@ -983,7 +983,7 @@ next:
 							 bin, size2);
 			break;
 		case SND_SOC_TPLG_TYPE_ENUM:
-			et = tplg_calloc(&heap, sizeof(*mt));
+			et = tplg_calloc(&heap, sizeof(*et));
 			if (et == NULL) {
 				err = -ENOMEM;
 				goto retval;