Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 293bac5f authored by Hui Peng's avatar Hui Peng
Browse files

Fix a potential OOB read resulted from integer underflow 

This is an issue similar with I45320085b1e458d3b0e0d86162a35aaaae7b34cb

The regression test is: I8bdaf3fef16a2d9d366a7fc9b0f2f0a35d3fb12d

Test: atest net_test_stack_a2dp_codecs_native
Bug: 259704719
Ignore-AOSP-First: security
Change-Id: I4744169dcca79ab3564f4e9e34bdf428cf678ed7
parent 780b0804

system/stack/a2dp/a2dp_vendor_ldac.cc

+4 −0
Original line number Diff line number Diff line
@@ -518,6 +518,10 @@ bool A2DP_VendorBuildCodecHeaderLdac(UNUSED_ATTR const uint8_t* p_codec_info, 
                                     uint16_t frames_per_packet) {

  uint8_t* p;



  if (p_buf->offset < A2DP_LDAC_MPL_HDR_LEN) {

    return false;

  }



  p_buf->offset -= A2DP_LDAC_MPL_HDR_LEN;

  p = (uint8_t*)(p_buf + 1) + p_buf->offset;

  p_buf->len += A2DP_LDAC_MPL_HDR_LEN;

system/stack/a2dp/a2dp_vendor_opus.cc

+4 −0
Original line number Diff line number Diff line
@@ -566,6 +566,10 @@ bool A2DP_VendorBuildCodecHeaderOpus(UNUSED_ATTR const uint8_t* p_codec_info, 
                                     uint16_t frames_per_packet) {

  uint8_t* p;



  if (p_buf->offset < A2DP_OPUS_MPL_HDR_LEN) {

    return false;

  }



  p_buf->offset -= A2DP_OPUS_MPL_HDR_LEN;

  p = (uint8_t*)(p_buf + 1) + p_buf->offset;

  p_buf->len += A2DP_OPUS_MPL_HDR_LEN;