Fix possible OOB read

Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad)

1 files changed, 11 insertions, 0 deletions

diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index 49a5b2934..92a9c6af2 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -302,6 +302,11 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
     UINT16      total, cur_handles, orig;
     UINT8       cont_len;
 
+    if (p_reply + 8 > p_reply_end) {
+        android_errorWriteLog(0x534e4554, "74249842");
+        sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
+        return;
+    }
     /* Skip transaction, and param len */
     p_reply += 4;
     BE_STREAM_TO_UINT16 (total, p_reply);
@@ -322,6 +327,12 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
     if (p_ccb->num_handles > sdp_cb.max_recs_per_search)
         p_ccb->num_handles = sdp_cb.max_recs_per_search;
 
+    if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {
+        android_errorWriteLog(0x534e4554, "74249842");
+        sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
+        return;
+    }
+
     for (xx = orig; xx < p_ccb->num_handles; xx++)
         BE_STREAM_TO_UINT32 (p_ccb->handles[xx], p_reply);