From cfafbb1b9883581d6cdf2c8656d9dab43839216a Mon Sep 17 00:00:00 2001
From: Marie Janssen <jamuraa@google.com>
Date: Thu, 12 May 2016 15:30:16 -0700
Subject: DO NOT MERGE btif: check overflow on create_pbuf size

Bug: 27930580
Ticket: CYNGNOS-3020

Change-Id: Ieb1f23f9a8a937b21f7c5eca92da3b0b821400e6
(cherry picked from commit ad31ee0f0f03953064cc503314d5e39d687af50a)
---
 btif/src/btif_hh.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/btif/src/btif_hh.c b/btif/src/btif_hh.c
index 8188942b5..88e767a91 100644
--- a/btif/src/btif_hh.c
+++ b/btif/src/btif_hh.c
@@ -33,6 +33,8 @@
 
 #define LOG_TAG "bt_btif_hh"
 
+#include <cutils/log.h>
+
 #include "bta_api.h"
 #include "bta_hh_api.h"
 #include "btif_storage.h"
@@ -257,7 +259,12 @@ static void toggle_os_keylockstates(int fd, int changedlockstates)
 *******************************************************************************/
 static BT_HDR *create_pbuf(UINT16 len, UINT8 *data)
 {
-    BT_HDR* p_buf = GKI_getbuf((UINT16) (len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR)));
+    UINT16 buflen = (UINT16) (len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR));
+    if (buflen < len) {
+      android_errorWriteWithInfoLog(0x534e4554, "28672558", -1, NULL, 0);
+      return NULL;
+    }
+    BT_HDR* p_buf = GKI_getbuf(buflen);
 
     if (p_buf) {
         UINT8* pbuf_data;
-- 
cgit v1.2.3