Fix copy length calculation in sdp_copy_raw_data

Test: compilation Bug: 110216176 Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459 (cherry picked from commit 23aa15743397b345f3d948289fe90efa2a2e2b3e)
author: Jakub Pawlowski <jpawlowski@google.com> 2018-07-16 06:40:35 -0700
committer: Tim Schumacher <timschumi@gmx.de> 2018-11-18 07:45:39 +0000
commit: a9fd8465015a0e0ff8572749b44d7795f8045020 (patch)
tree: ad6815ebbb13ff2f498e5f434299de29de1c1bec
parent: 42b6e678ce790fb68de14c7302906e07bc09e15b (diff)
download: android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.tar.gz
android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.tar.bz2
android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index 5ec79b7d3..49a5b2934 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -388,8 +388,16 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
 
         if(offset)
         {
+            cpy_len -= 1;
             type = *p++;
+            uint8_t* old_p = p;
             p = sdpu_get_len_from_type (p, type, &list_len);
+            if ((int)cpy_len < (p - old_p))
+            {
+                SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
+                return;
+            }
+            cpy_len -= (p - old_p);
         }
         if(list_len < cpy_len)
         {
author	Jakub Pawlowski <jpawlowski@google.com>	2018-07-16 06:40:35 -0700
committer	Tim Schumacher <timschumi@gmx.de>	2018-11-18 07:45:39 +0000
commit	a9fd8465015a0e0ff8572749b44d7795f8045020 (patch)
tree	ad6815ebbb13ff2f498e5f434299de29de1c1bec
parent	42b6e678ce790fb68de14c7302906e07bc09e15b (diff)
download	android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.tar.gz android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.tar.bz2 android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.zip