Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2ece0453 authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Fix an OOB bug in bta_hh_co_get_rpt_rsp am: d2e67f50 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20810318



Change-Id: I947d81f5d592c578ef8be54337af1f7f67a29888
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 476f203f d2e67f50

system/btif/co/bta_hh_co.cc

+5 −4
Original line number Diff line number Diff line
@@ -673,15 +673,16 @@ void bta_hh_co_get_rpt_rsp(uint8_t dev_handle, uint8_t status, uint8_t* p_rpt, 
    ev.type = UHID_FEATURE_ANSWER;

    ev.u.feature_answer.id = *get_rpt_id;

    ev.u.feature_answer.err = status;

    ev.u.feature_answer.size = len;

    ev.u.feature_answer.size = len - GET_RPT_RSP_OFFSET;

    osi_free(get_rpt_id);

    if (len > 0) {

      if (len > UHID_DATA_MAX) {

    if (len > GET_RPT_RSP_OFFSET) {

      if (len - GET_RPT_RSP_OFFSET > UHID_DATA_MAX) {

        APPL_TRACE_WARNING("%s: Report size greater than allowed size",

                           __func__);

        return;

      }

      memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, len);

      memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET,

             len - GET_RPT_RSP_OFFSET);

      uhid_write(p_dev->fd, &ev);

    }

  }