Check packet length in bta_av_proc_meta_cmd

Bug: 111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit ed51887f921263219bcd2fbf6650ead5ec8d334e)

1 files changed, 8 insertions, 1 deletions

diff --git a/bta/av/bta_av_act.c b/bta/av/bta_av_act.c
index d5fb64cc6..39919773a 100644
--- a/bta/av/bta_av_act.c
+++ b/bta/av/bta_av_act.c
@@ -37,6 +37,7 @@
 #include "avdt_api.h"
 #include "utl.h"
 #include "l2c_api.h"
+#include "log/log.h"
 #include "osi/include/list.h"
 #if( defined BTA_AR_INCLUDED ) && (BTA_AR_INCLUDED == TRUE)
 #include "bta_ar_api.h"
@@ -861,11 +862,17 @@ tBTA_AV_EVT bta_av_proc_meta_cmd(tAVRC_RESPONSE  *p_rc_rsp, tBTA_AV_RC_MSG *p_ms
         case AVRC_PDU_GET_CAPABILITIES:
             /* process GetCapabilities command without reporting the event to app */
             evt = 0;
+            if (p_vendor->vendor_len != 5)
+            {
+                android_errorWriteLog(0x534e4554, "111893951");
+                p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
+                break;
+            }
             u8 = *(p_vendor->p_vendor_data + 4);
             p = p_vendor->p_vendor_data + 2;
             p_rc_rsp->get_caps.capability_id = u8;
             BE_STREAM_TO_UINT16 (u16, p);
-            if ((u16 != 1) || (p_vendor->vendor_len != 5))
+            if (u16 != 1)
             {
                 p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
             }