diff options
| author | Ajay Panicker <apanicke@google.com> | 2018-01-10 16:12:50 -0800 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-03-30 14:34:06 +0200 |
| commit | 07a56171313b5870c8a787ad03b5cc81dec32450 (patch) | |
| tree | 913b5f8ff038a36fc3562db553e67014420a8308 | |
| parent | b3cf832cd05b0c26035861ceb2fd75038b7b4bac (diff) | |
| download | android_system_bt-07a56171313b5870c8a787ad03b5cc81dec32450.tar.gz android_system_bt-07a56171313b5870c8a787ad03b5cc81dec32450.tar.bz2 android_system_bt-07a56171313b5870c8a787ad03b5cc81dec32450.zip | |
AVRCP: Check the number of text attributes requested
Test: Build
Bug: 69478941
Change-Id: Ibc456511c8d7339213f08b07d70f5e25be140d68
(cherry picked from commit 249bb665b1020e81547246f5b29ed9040d696388)
CVE-2017-13266
| -rw-r--r-- | stack/avrc/avrc_pars_tg.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/stack/avrc/avrc_pars_tg.c b/stack/avrc/avrc_pars_tg.c index 90bc5b30b..dc6cb68cc 100644 --- a/stack/avrc/avrc_pars_tg.c +++ b/stack/avrc/avrc_pars_tg.c @@ -23,6 +23,7 @@ #include "avrc_api.h" #include "avrc_defs.h" #include "avrc_int.h" +#include "log/log.h" /***************************************************************************** ** Global data @@ -171,6 +172,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_ status = AVRC_STS_INTERNAL_ERR; break; } + + if (p_result->get_cur_app_val.num_attr > AVRC_MAX_APP_ATTR_SIZE) + { + android_errorWriteLog(0x534e4554, "63146237"); + p_result->get_cur_app_val.num_attr = AVRC_MAX_APP_ATTR_SIZE; + } + p_u8 = p_result->get_cur_app_val.attrs; for (xx=0, yy=0; xx< p_result->get_cur_app_val.num_attr; xx++) { |