Check Avrcp packet vendor length before extracting length (0d9d9e5e) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/avrc/avrc_pars_tg.cc

+6 −0

Original line number	Diff line number	Diff line
		@@ -43,6 +43,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg,
		tAVRC_COMMAND* p_result) {
		tAVRC_STS status = AVRC_STS_NO_ERROR;

		if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16
		AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
		__func__, p_msg->vendor_len);
		android_errorWriteLog(0x534e4554, "205571133");
		return AVRC_STS_INTERNAL_ERR;
		}
		uint8_t* p = p_msg->p_vendor_data;
		p_result->pdu = *p++;
		AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);