Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 0c19bbdc authored by Robert Werthman's avatar Robert Werthman Committed by Android Build Coastguard Worker
Browse files

Report failure when not able to connect to AVRCP 

A crash may occur when creating a bluetooth AVRCP connection to a
device.

The code fails to check a return value from an AVRCP function
being used to index into an array. The return value may exceed the
size of the array causing memory outside the bounds of the array to be
accessed leading to memory corruption and a crash.

The fix is to ensure the return value is within the bounds of the
array before accessing the array contents. If the return value is
not within the bounds of the array report it as a failure to the
bluetooth stack.

This change is relevant for android automotive because the IVI
(in-vehicle infotainment system) acts as the an AVRCP controller
which still executes this code.

Note: this is a backport of b/214569798, inducted as a non-security
issue.  Per b/226927612 it has been found to have security impact
and should be backported to earlier branches.

Bug: 226927612
Test: Manual - set return value to be out of bounds, verify no crash
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Ic284268c2241b6a7de146057b9842873907de59c
(cherry picked from commit e74ee03c)
Merged-In: Ic284268c2241b6a7de146057b9842873907de59c
parent 2fdc7b62
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment