From 4ee804a5bf4f68791d3e1e7fbf1fac582161262c Mon Sep 17 00:00:00 2001
From: Domppari <riikonen.toni@gmail.com>
Date: Mon, 5 Jan 2026 10:50:02 +0200
Subject: [PATCH] Extra validation of input, for CodeQL

---
 src/disk/hdd_audio.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/disk/hdd_audio.c b/src/disk/hdd_audio.c
index 04c27e11d..ad9a08a80 100644
--- a/src/disk/hdd_audio.c
+++ b/src/disk/hdd_audio.c
@@ -105,6 +105,15 @@ hdd_audio_load_profiles(void)
         return;
     }
 
+    /* Validate the path ends with our expected filename */
+    const char *expected_suffix = "hdd_audio_profiles.cfg";
+    size_t cfg_len = strlen(cfg_fn);
+    size_t suffix_len = strlen(expected_suffix);
+    if (cfg_len < suffix_len || strcmp(cfg_fn + cfg_len - suffix_len, expected_suffix) != 0) {
+        pclog("HDD Audio: Unexpected config path\n");
+        return;
+    }
+
     profiles_ini = ini_read_ex(cfg_fn, 1);  /* lgtm[cpp/path-injection] */
     if (profiles_ini == NULL) {
         pclog("HDD Audio: Failed to load hdd_audio_profiles.cfg\n");