Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 243fdf1c authored by Brian Delwiche's avatar Brian Delwiche Committed by Android Build Coastguard Worker
Browse files

Add bounds checks in btif_avrcp_audio_track.cc 

Fuzz testing reveals that the transcodeQ*ToFloat family of functions are
not bounds checked, causing a potential OOB write.

Check these functions against bounds of the destination array.

Bug: 275895309
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:46803ae95d63ee133eae83d885e7c051964dc8ed)
Merged-In: I7a13261429797769cf5b913912a30e249668ac93
Change-Id: I7a13261429797769cf5b913912a30e249668ac93
parent a218e5be

system/btif/src/btif_avrcp_audio_track.cc

+5 −3
Original line number Diff line number Diff line
@@ -23,6 +23,8 @@ 
#include <base/logging.h>

#include <utils/StrongPointer.h>



#include <algorithm>



#include "bt_target.h"

#include "osi/include/log.h"
@@ -152,7 +154,7 @@ static size_t transcodeQ15ToFloat(uint8_t* buffer, size_t length, 
                                  BtifAvrcpAudioTrack* trackHolder) {

  size_t sampleSize = sampleSizeFor(trackHolder);

  size_t i = 0;

  for (; i <= length / sampleSize; i++) {

  for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {

    trackHolder->buffer[i] = ((int16_t*)buffer)[i] * kScaleQ15ToFloat;

  }

  return i * sampleSize;
@@ -162,7 +164,7 @@ static size_t transcodeQ23ToFloat(uint8_t* buffer, size_t length, 
                                  BtifAvrcpAudioTrack* trackHolder) {

  size_t sampleSize = sampleSizeFor(trackHolder);

  size_t i = 0;

  for (; i <= length / sampleSize; i++) {

  for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {

    size_t offset = i * sampleSize;

    int32_t sample = *((int32_t*)(buffer + offset - 1)) & 0x00FFFFFF;

    trackHolder->buffer[i] = sample * kScaleQ23ToFloat;
@@ -174,7 +176,7 @@ static size_t transcodeQ31ToFloat(uint8_t* buffer, size_t length, 
                                  BtifAvrcpAudioTrack* trackHolder) {

  size_t sampleSize = sampleSizeFor(trackHolder);

  size_t i = 0;

  for (; i <= length / sampleSize; i++) {

  for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {

    trackHolder->buffer[i] = ((int32_t*)buffer)[i] * kScaleQ31ToFloat;

  }

  return i * sampleSize;