diff options
| author | Hansong Zhang <hsz@google.com> | 2018-08-06 14:40:37 -0700 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-11-18 07:45:29 +0000 |
| commit | 42b6e678ce790fb68de14c7302906e07bc09e15b (patch) | |
| tree | e230a5e652ce8430e9c021517630defeb058bbb0 | |
| parent | 9c9fa769cc610a6e9ebaadda8b3ddc49aa537aee (diff) | |
| download | android_system_bt-42b6e678ce790fb68de14c7302906e07bc09e15b.tar.gz android_system_bt-42b6e678ce790fb68de14c7302906e07bc09e15b.tar.bz2 android_system_bt-42b6e678ce790fb68de14c7302906e07bc09e15b.zip | |
Fix OOB read in avrc_ctrl_pars_vendor_rsp
Bug: 78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit d945ada503ed9c9ea24e092df51faba57f5d589a)
| -rw-r--r-- | stack/avrc/avrc_pars_ct.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c index 85f93d776..93a50eee1 100644 --- a/stack/avrc/avrc_pars_ct.c +++ b/stack/avrc/avrc_pars_ct.c @@ -19,6 +19,8 @@ ******************************************************************************/ #include <string.h> +#include <log/log.h> + #include "gki.h" #include "avrc_api.h" #include "avrc_defs.h" @@ -197,6 +199,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPON break; } BE_STREAM_TO_UINT8(p_result->list_app_values.num_val,p); + if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) + { + android_errorWriteLog(0x534e4554, "78526423"); + p_result->list_app_values.num_val = AVRC_MAX_APP_ATTR_SIZE; + } + AVRC_TRACE_DEBUG("AVRC_PDU_LIST_PLAYER_APP_ATTR count = %d ", p_result->list_app_attr.num_attr); for(xx = 0; xx < p_result->list_app_values.num_val; xx++) |