Fix OOB read in avrc_ctrl_pars_vendor_rsp (32569ef7) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/avrc/avrc_pars_ct.cc

+5 −0

Original line number	Original line	Diff line number	Diff line
	@@ -479,6 +479,11 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
	break;		break;
	}		}
	BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p);		BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p);
			if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) {
			android_errorWriteLog(0x534e4554, "78526423");
			p_result->list_app_values.num_val = AVRC_MAX_APP_ATTR_SIZE;
			}

	AVRC_TRACE_DEBUG("%s value count = %d ", __func__,		AVRC_TRACE_DEBUG("%s value count = %d ", __func__,
	p_result->list_app_values.num_val);		p_result->list_app_values.num_val);
	for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) {		for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) {