diff options
| author | Kevin F. Haggerty <haggertk@lineageos.org> | 2020-05-05 07:52:49 -0600 |
|---|---|---|
| committer | Kevin F. Haggerty <haggertk@lineageos.org> | 2020-05-05 07:52:49 -0600 |
| commit | 881b417698ecf57b92723b2f6e8d68842c70d002 (patch) | |
| tree | 16eb5042500287b58c831c8ccc0f6ca014cfc99c | |
| parent | 999624ee333a402f1f517593ccbe09532dedac5d (diff) | |
| parent | 73c22e6cdbfc5d099985c70edf9670686cc331a9 (diff) | |
| download | android_system_bt-lineage-16.0.tar.gz android_system_bt-lineage-16.0.tar.bz2 android_system_bt-lineage-16.0.zip | |
Merge tag 'android-9.0.0_r56' of https://android.googlesource.com/platform/system/bt into staging/lineage-16.0_merge-android-9.0.0_r56lineage-16.0
Android 9.0.0 release 56
* tag 'android-9.0.0_r56' of https://android.googlesource.com/platform/system/bt:
Fix potential stack overflow caused by integer overflow
GattServcer: Check invalid offset
AAC Decoder: Use osi_free() to free buffers allocated by osi_malloc()
Change-Id: I0e84d852e9ed217b542b8fd409a4dc6bf59841cf
| -rw-r--r-- | service/gatt_server.cc | 7 | ||||
| -rw-r--r-- | stack/a2dp/a2dp_aac_decoder.cc | 4 | ||||
| -rw-r--r-- | stack/smp/smp_cmac.cc | 3 |
3 files changed, 11 insertions, 3 deletions
diff --git a/service/gatt_server.cc b/service/gatt_server.cc index 52fd1edf6..f46927d70 100644 --- a/service/gatt_server.cc +++ b/service/gatt_server.cc @@ -18,6 +18,7 @@ #include <base/logging.h> +#include "osi/include/log.h" #include "service/logging_helpers.h" #include "stack/include/bt_types.h" @@ -116,6 +117,12 @@ bool GattServer::SendResponse(const std::string& device_address, int request_id, return false; } + if (offset < 0) { + android_errorWriteLog(0x534e4554, "143231677"); + LOG(ERROR) << "Offset is less than 0 offset: " << offset; + return false; + } + if (value.size() + offset > BTGATT_MAX_ATTR_LEN) { LOG(ERROR) << "Value is too large"; return false; diff --git a/stack/a2dp/a2dp_aac_decoder.cc b/stack/a2dp/a2dp_aac_decoder.cc index d9cd85dc6..d998d7d47 100644 --- a/stack/a2dp/a2dp_aac_decoder.cc +++ b/stack/a2dp/a2dp_aac_decoder.cc @@ -30,7 +30,7 @@ typedef struct { HANDLE_AACDECODER aac_handle; bool has_aac_handle; // True if aac_handle is valid - INT_PCM* decode_buf; + INT_PCM* decode_buf = nullptr; decoded_data_callback_t decode_callback; } tA2DP_AAC_DECODER_CB; @@ -58,7 +58,7 @@ bool a2dp_aac_decoder_init(decoded_data_callback_t decode_callback) { void a2dp_aac_decoder_cleanup(void) { if (a2dp_aac_decoder_cb.has_aac_handle) aacDecoder_Close(a2dp_aac_decoder_cb.aac_handle); - free(a2dp_aac_decoder_cb.decode_buf); + osi_free(a2dp_aac_decoder_cb.decode_buf); memset(&a2dp_aac_decoder_cb, 0, sizeof(a2dp_aac_decoder_cb)); } diff --git a/stack/smp/smp_cmac.cc b/stack/smp/smp_cmac.cc index 42f91a0c4..30ccef974 100644 --- a/stack/smp/smp_cmac.cc +++ b/stack/smp/smp_cmac.cc @@ -278,7 +278,8 @@ static bool cmac_generate_subkey(BT_OCTET16 key) { ******************************************************************************/ bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input, uint16_t length, uint16_t tlen, uint8_t* p_signature) { - uint16_t len, diff; + uint32_t len; + uint16_t diff; uint16_t n = (length + BT_OCTET16_LEN - 1) / BT_OCTET16_LEN; /* n is number of rounds */ bool ret = false; |