Loading system/bta/ag/bta_ag_sdp.cc +0 −1 Original line number Original line Diff line number Diff line Loading @@ -471,7 +471,6 @@ void bta_ag_do_disc(tBTA_AG_SCB* p_scb, tBTA_SERVICE_MASK service) { if (p_scb->hsp_version >= HSP_VERSION_1_2) { if (p_scb->hsp_version >= HSP_VERSION_1_2) { uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET_HS); uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET_HS); num_uuid = 2; } else { } else { /* Legacy from HSP v1.0 */ /* Legacy from HSP v1.0 */ uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET); uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET); Loading system/bta/hd/bta_hd_api.cc +5 −0 Original line number Original line Diff line number Diff line Loading @@ -27,6 +27,7 @@ #if defined(BTA_HD_INCLUDED) && (BTA_HD_INCLUDED == TRUE) #if defined(BTA_HD_INCLUDED) && (BTA_HD_INCLUDED == TRUE) #include <log/log.h> #include <stdio.h> #include <stdio.h> #include <stdlib.h> #include <stdlib.h> #include <string.h> #include <string.h> Loading Loading @@ -124,6 +125,10 @@ extern void BTA_HdRegisterApp(tBTA_HD_APP_INFO* p_app_info, p_buf->subclass = p_app_info->subclass; p_buf->subclass = p_app_info->subclass; if (p_app_info->descriptor.dl_len > BTA_HD_APP_DESCRIPTOR_LEN) { p_app_info->descriptor.dl_len = BTA_HD_APP_DESCRIPTOR_LEN; android_errorWriteLog(0x534e4554, "113111784"); } p_buf->d_len = p_app_info->descriptor.dl_len; p_buf->d_len = p_app_info->descriptor.dl_len; memcpy(p_buf->d_data, p_app_info->descriptor.dsc_list, memcpy(p_buf->d_data, p_app_info->descriptor.dsc_list, p_app_info->descriptor.dl_len); p_app_info->descriptor.dl_len); Loading system/bta/hd/bta_hd_int.h +1 −1 Original line number Original line Diff line number Diff line Loading @@ -66,7 +66,7 @@ typedef struct { #define BTA_HD_APP_NAME_LEN 50 #define BTA_HD_APP_NAME_LEN 50 #define BTA_HD_APP_DESCRIPTION_LEN 50 #define BTA_HD_APP_DESCRIPTION_LEN 50 #define BTA_HD_APP_PROVIDER_LEN 50 #define BTA_HD_APP_PROVIDER_LEN 50 #define BTA_HD_APP_DESCRIPTOR_LEN 2048 #define BTA_HD_APP_DESCRIPTOR_LEN HIDD_APP_DESCRIPTOR_LEN #define BTA_HD_STATE_DISABLED 0x00 #define BTA_HD_STATE_DISABLED 0x00 #define BTA_HD_STATE_ENABLED 0x01 #define BTA_HD_STATE_ENABLED 0x01 Loading system/btif/src/btif_hd.cc +15 −9 Original line number Original line Diff line number Diff line Loading @@ -25,15 +25,16 @@ * * * * ***********************************************************************************/ ***********************************************************************************/ #define LOG_TAG "BTIF_HD" #include <errno.h> #include <errno.h> #include <hardware/bluetooth.h> #include <hardware/bluetooth.h> #include <hardware/bt_hd.h> #include <hardware/bt_hd.h> #include <log/log.h> #include <stdio.h> #include <stdio.h> #include <stdlib.h> #include <stdlib.h> #include <string.h> #include <string.h> #define LOG_TAG "BTIF_HD" #include "bta_api.h" #include "bta_api.h" #include "bta_hd_api.h" #include "bta_hd_api.h" #include "bta_hh_api.h" #include "bta_hh_api.h" Loading Loading @@ -397,13 +398,18 @@ static bt_status_t register_app(bthd_app_param_t* p_app_param, return BT_STATUS_BUSY; return BT_STATUS_BUSY; } } app_info.p_name = (char*)osi_malloc(BTIF_HD_APP_NAME_LEN); if (strlen(p_app_param->name) >= BTIF_HD_APP_NAME_LEN || memcpy(app_info.p_name, p_app_param->name, BTIF_HD_APP_NAME_LEN); strlen(p_app_param->description) >= BTIF_HD_APP_DESCRIPTION_LEN || app_info.p_description = (char*)osi_malloc(BTIF_HD_APP_DESCRIPTION_LEN); strlen(p_app_param->provider) >= BTIF_HD_APP_PROVIDER_LEN) { memcpy(app_info.p_description, p_app_param->description, android_errorWriteLog(0x534e4554, "113037220"); } app_info.p_name = (char*)osi_calloc(BTIF_HD_APP_NAME_LEN); strlcpy(app_info.p_name, p_app_param->name, BTIF_HD_APP_NAME_LEN); app_info.p_description = (char*)osi_calloc(BTIF_HD_APP_DESCRIPTION_LEN); strlcpy(app_info.p_description, p_app_param->description, BTIF_HD_APP_DESCRIPTION_LEN); BTIF_HD_APP_DESCRIPTION_LEN); app_info.p_provider = (char*)osi_malloc(BTIF_HD_APP_PROVIDER_LEN); app_info.p_provider = (char*)osi_calloc(BTIF_HD_APP_PROVIDER_LEN); memcpy(app_info.p_provider, p_app_param->provider, BTIF_HD_APP_PROVIDER_LEN); strlcpy(app_info.p_provider, p_app_param->provider, BTIF_HD_APP_PROVIDER_LEN); app_info.subclass = p_app_param->subclass; app_info.subclass = p_app_param->subclass; app_info.descriptor.dl_len = p_app_param->desc_list_len; app_info.descriptor.dl_len = p_app_param->desc_list_len; app_info.descriptor.dsc_list = app_info.descriptor.dsc_list = Loading system/stack/avrc/avrc_pars_ct.cc +171 −16 Original line number Original line Diff line number Diff line Loading @@ -29,6 +29,8 @@ * Global data * Global data ****************************************************************************/ ****************************************************************************/ #define MIN(x, y) ((x) < (y) ? (x) : (y)) /******************************************************************************* /******************************************************************************* * * * Function avrc_pars_vendor_rsp * Function avrc_pars_vendor_rsp Loading @@ -54,13 +56,33 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, if (p_msg->vendor_len == 0) return AVRC_STS_NO_ERROR; if (p_msg->vendor_len == 0) return AVRC_STS_NO_ERROR; if (p_msg->p_vendor_data == NULL) return AVRC_STS_INTERNAL_ERR; if (p_msg->p_vendor_data == NULL) return AVRC_STS_INTERNAL_ERR; if (p_msg->vendor_len < 4) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4", __func__, p_msg->vendor_len); return AVRC_STS_INTERNAL_ERR; } p = p_msg->p_vendor_data; p = p_msg->p_vendor_data; BE_STREAM_TO_UINT8(p_result->pdu, p); BE_STREAM_TO_UINT8(p_result->pdu, p); p++; /* skip the reserved/packe_type byte */ p++; /* skip the reserved/packe_type byte */ BE_STREAM_TO_UINT16(len, p); BE_STREAM_TO_UINT16(len, p); AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x", __func__, AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x vendor_len=0x%x", p_msg->hdr.ctype, p_result->pdu, len, len); __func__, p_msg->hdr.ctype, p_result->pdu, len, len, p_msg->vendor_len); if (p_msg->vendor_len < len + 4) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", __func__, p_msg->vendor_len, len + 4); return AVRC_STS_INTERNAL_ERR; } if (p_msg->hdr.ctype == AVRC_RSP_REJ) { if (p_msg->hdr.ctype == AVRC_RSP_REJ) { if (len < 1) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least 1", __func__, len); return AVRC_STS_INTERNAL_ERR; } p_result->rsp.status = *p; p_result->rsp.status = *p; return p_result->rsp.status; return p_result->rsp.status; } } Loading @@ -81,12 +103,26 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */ case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */ #if (AVRC_ADV_CTRL_INCLUDED == TRUE) #if (AVRC_ADV_CTRL_INCLUDED == TRUE) if (len < 1) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING( "%s: invalid parameter length %d: must be at least 1", __func__, len); return AVRC_STS_INTERNAL_ERR; } BE_STREAM_TO_UINT8(eventid, p); BE_STREAM_TO_UINT8(eventid, p); if (AVRC_EVT_VOLUME_CHANGE == eventid && if (AVRC_EVT_VOLUME_CHANGE == eventid && (AVRC_RSP_CHANGED == p_msg->hdr.ctype || (AVRC_RSP_CHANGED == p_msg->hdr.ctype || AVRC_RSP_INTERIM == p_msg->hdr.ctype || AVRC_RSP_INTERIM == p_msg->hdr.ctype || AVRC_RSP_REJ == p_msg->hdr.ctype || AVRC_RSP_REJ == p_msg->hdr.ctype || AVRC_RSP_NOT_IMPL == p_msg->hdr.ctype)) { AVRC_RSP_NOT_IMPL == p_msg->hdr.ctype)) { if (len < 2) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING( "%s: invalid parameter length %d: must be at least 2", __func__, len); return AVRC_STS_INTERNAL_ERR; } p_result->reg_notif.status = p_msg->hdr.ctype; p_result->reg_notif.status = p_msg->hdr.ctype; p_result->reg_notif.event_id = eventid; p_result->reg_notif.event_id = eventid; BE_STREAM_TO_UINT8(p_result->reg_notif.param.volume, p); BE_STREAM_TO_UINT8(p_result->reg_notif.param.volume, p); Loading @@ -103,24 +139,35 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, return status; return status; } } void avrc_parse_notification_rsp(uint8_t* p_stream, tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len, tAVRC_REG_NOTIF_RSP* p_rsp) { tAVRC_REG_NOTIF_RSP* p_rsp) { uint16_t min_len = 1; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream); BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream); switch (p_rsp->event_id) { switch (p_rsp->event_id) { case AVRC_EVT_PLAY_STATUS_CHANGE: case AVRC_EVT_PLAY_STATUS_CHANGE: min_len += 1; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_rsp->param.play_status, p_stream); BE_STREAM_TO_UINT8(p_rsp->param.play_status, p_stream); break; break; case AVRC_EVT_TRACK_CHANGE: case AVRC_EVT_TRACK_CHANGE: min_len += 8; if (len < min_len) goto length_error; BE_STREAM_TO_ARRAY(p_stream, p_rsp->param.track, 8); BE_STREAM_TO_ARRAY(p_stream, p_rsp->param.track, 8); break; break; case AVRC_EVT_APP_SETTING_CHANGE: case AVRC_EVT_APP_SETTING_CHANGE: min_len += 1; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_rsp->param.player_setting.num_attr, p_stream); BE_STREAM_TO_UINT8(p_rsp->param.player_setting.num_attr, p_stream); if (p_rsp->param.player_setting.num_attr > AVRC_MAX_APP_SETTINGS) { if (p_rsp->param.player_setting.num_attr > AVRC_MAX_APP_SETTINGS) { android_errorWriteLog(0x534e4554, "73782082"); android_errorWriteLog(0x534e4554, "73782082"); p_rsp->param.player_setting.num_attr = AVRC_MAX_APP_SETTINGS; p_rsp->param.player_setting.num_attr = AVRC_MAX_APP_SETTINGS; } } min_len += p_rsp->param.player_setting.num_attr * 2; if (len < min_len) goto length_error; for (int index = 0; index < p_rsp->param.player_setting.num_attr; for (int index = 0; index < p_rsp->param.player_setting.num_attr; index++) { index++) { BE_STREAM_TO_UINT8(p_rsp->param.player_setting.attr_id[index], BE_STREAM_TO_UINT8(p_rsp->param.player_setting.attr_id[index], Loading Loading @@ -153,6 +200,14 @@ void avrc_parse_notification_rsp(uint8_t* p_stream, default: default: break; break; } } return AVRC_STS_NO_ERROR; length_error: android_errorWriteLog(0x534e4554, "111450417"); AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d", __func__, len, min_len); return AVRC_STS_INTERNAL_ERR; } } static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, Loading Loading @@ -407,16 +462,32 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, tAVRC_RESPONSE* p_result, tAVRC_RESPONSE* p_result, uint8_t* p_buf, uint16_t* buf_len) { uint8_t* p_buf, uint16_t* buf_len) { if (p_msg->vendor_len < 4) { android_errorWriteLog(0x534e4554, "111450417"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4", __func__, p_msg->vendor_len); return AVRC_STS_INTERNAL_ERR; } uint8_t* p = p_msg->p_vendor_data; uint8_t* p = p_msg->p_vendor_data; BE_STREAM_TO_UINT8(p_result->pdu, p); BE_STREAM_TO_UINT8(p_result->pdu, p); p++; /* skip the reserved/packe_type byte */ p++; /* skip the reserved/packe_type byte */ uint16_t len; uint16_t len; uint16_t min_len = 0; BE_STREAM_TO_UINT16(len, p); BE_STREAM_TO_UINT16(len, p); AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d", __func__, p_msg->hdr.ctype, AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__, p_result->pdu, len); p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len); if (p_msg->vendor_len < len + 4) { android_errorWriteLog(0x534e4554, "111450417"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", __func__, p_msg->vendor_len, len + 4); return AVRC_STS_INTERNAL_ERR; } /* Todo: Issue in handling reject, check */ /* Todo: Issue in handling reject, check */ if (p_msg->hdr.ctype == AVRC_RSP_REJ) { if (p_msg->hdr.ctype == AVRC_RSP_REJ) { min_len += 1; if (len < min_len) goto length_error; p_result->rsp.status = *p; p_result->rsp.status = *p; return p_result->rsp.status; return p_result->rsp.status; } } Loading @@ -427,8 +498,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, /* case AVRC_PDU_ABORT_CONTINUATION_RSP: 0x41 */ /* case AVRC_PDU_ABORT_CONTINUATION_RSP: 0x41 */ case AVRC_PDU_REGISTER_NOTIFICATION: case AVRC_PDU_REGISTER_NOTIFICATION: avrc_parse_notification_rsp(p, &p_result->reg_notif); return avrc_parse_notification_rsp(p, len, &p_result->reg_notif); break; case AVRC_PDU_GET_CAPABILITIES: case AVRC_PDU_GET_CAPABILITIES: if (len == 0) { if (len == 0) { Loading @@ -436,12 +506,16 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_caps.capability_id = 0; p_result->get_caps.capability_id = 0; break; break; } } min_len += 2; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_result->get_caps.capability_id, p); BE_STREAM_TO_UINT8(p_result->get_caps.capability_id, p); BE_STREAM_TO_UINT8(p_result->get_caps.count, p); BE_STREAM_TO_UINT8(p_result->get_caps.count, p); AVRC_TRACE_DEBUG("%s cap id = %d, cap_count = %d ", __func__, AVRC_TRACE_DEBUG("%s cap id = %d, cap_count = %d ", __func__, p_result->get_caps.capability_id, p_result->get_caps.capability_id, p_result->get_caps.count); p_result->get_caps.count); if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) { if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) { min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3; if (len < min_len) goto length_error; for (int xx = 0; ((xx < p_result->get_caps.count) && for (int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_COMP_ID)); (xx < AVRC_CAP_MAX_NUM_COMP_ID)); xx++) { xx++) { Loading @@ -449,6 +523,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, } } } else if (p_result->get_caps.capability_id == } else if (p_result->get_caps.capability_id == AVRC_CAP_EVENTS_SUPPORTED) { AVRC_CAP_EVENTS_SUPPORTED) { min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID); if (len < min_len) goto length_error; for (int xx = 0; ((xx < p_result->get_caps.count) && for (int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_EVT_ID)); (xx < AVRC_CAP_MAX_NUM_EVT_ID)); xx++) { xx++) { Loading @@ -462,6 +538,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->list_app_attr.num_attr = 0; p_result->list_app_attr.num_attr = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p); BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p); AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->list_app_attr.num_attr); p_result->list_app_attr.num_attr); Loading @@ -471,6 +548,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE; p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE; } } min_len += p_result->list_app_attr.num_attr; if (len < min_len) goto length_error; for (int xx = 0; xx < p_result->list_app_attr.num_attr; xx++) { for (int xx = 0; xx < p_result->list_app_attr.num_attr; xx++) { BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p); BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p); } } Loading @@ -481,6 +560,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->list_app_values.num_val = 0; p_result->list_app_values.num_val = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p); BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p); if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) { if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) { android_errorWriteLog(0x534e4554, "78526423"); android_errorWriteLog(0x534e4554, "78526423"); Loading @@ -489,6 +569,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, AVRC_TRACE_DEBUG("%s value count = %d ", __func__, AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->list_app_values.num_val); p_result->list_app_values.num_val); min_len += p_result->list_app_values.num_val; if (len < min_len) goto length_error; for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) { for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) { BE_STREAM_TO_UINT8(p_result->list_app_values.vals[xx], p); BE_STREAM_TO_UINT8(p_result->list_app_values.vals[xx], p); } } Loading @@ -499,9 +581,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_cur_app_val.num_val = 0; p_result->get_cur_app_val.num_val = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(p_result->get_cur_app_val.num_val, p); BE_STREAM_TO_UINT8(p_result->get_cur_app_val.num_val, p); tAVRC_APP_SETTING* app_sett = (tAVRC_APP_SETTING*)osi_malloc( p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING)); AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_cur_app_val.num_val); p_result->get_cur_app_val.num_val); Loading @@ -510,6 +591,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE; p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE; } } min_len += p_result->get_cur_app_val.num_val * 2; if (len < min_len) { p_result->get_cur_app_val.num_val = 0; goto length_error; } tAVRC_APP_SETTING* app_sett = (tAVRC_APP_SETTING*)osi_calloc( p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING)); for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) { for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) { BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p); BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p); BE_STREAM_TO_UINT8(app_sett[xx].attr_val, p); BE_STREAM_TO_UINT8(app_sett[xx].attr_val, p); Loading @@ -524,6 +612,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_app_attr_txt.num_attr = 0; p_result->get_app_attr_txt.num_attr = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(num_attrs, p); BE_STREAM_TO_UINT8(num_attrs, p); if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) { if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) { num_attrs = AVRC_MAX_APP_ATTR_SIZE; num_attrs = AVRC_MAX_APP_ATTR_SIZE; Loading @@ -532,15 +621,33 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_app_attr_txt.num_attr); p_result->get_app_attr_txt.num_attr); p_result->get_app_attr_txt.num_attr = num_attrs; p_result->get_app_attr_txt.num_attr = num_attrs; p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc( p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_calloc( num_attrs * sizeof(tAVRC_APP_SETTING_TEXT)); num_attrs * sizeof(tAVRC_APP_SETTING_TEXT)); for (int xx = 0; xx < num_attrs; xx++) { for (int xx = 0; xx < num_attrs; xx++) { min_len += 4; if (len < min_len) { for (int j = 0; j < xx; j++) { osi_free(p_result->get_app_attr_txt.p_attrs[j].p_str); } osi_free_and_reset((void**)&p_result->get_app_attr_txt.p_attrs); p_result->get_app_attr_txt.num_attr = 0; goto length_error; } BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p); BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p); BE_STREAM_TO_UINT16(p_result->get_app_attr_txt.p_attrs[xx].charset_id, BE_STREAM_TO_UINT16(p_result->get_app_attr_txt.p_attrs[xx].charset_id, p); p); BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].str_len, p); BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].str_len, p); min_len += p_result->get_app_attr_txt.p_attrs[xx].str_len; if (len < min_len) { for (int j = 0; j < xx; j++) { osi_free(p_result->get_app_attr_txt.p_attrs[j].p_str); } osi_free_and_reset((void**)&p_result->get_app_attr_txt.p_attrs); p_result->get_app_attr_txt.num_attr = 0; goto length_error; } if (p_result->get_app_attr_txt.p_attrs[xx].str_len != 0) { if (p_result->get_app_attr_txt.p_attrs[xx].str_len != 0) { uint8_t* p_str = (uint8_t*)osi_malloc( uint8_t* p_str = (uint8_t*)osi_calloc( p_result->get_app_attr_txt.p_attrs[xx].str_len); p_result->get_app_attr_txt.p_attrs[xx].str_len); BE_STREAM_TO_ARRAY(p, p_str, BE_STREAM_TO_ARRAY(p, p_str, p_result->get_app_attr_txt.p_attrs[xx].str_len); p_result->get_app_attr_txt.p_attrs[xx].str_len); Loading @@ -558,6 +665,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_app_val_txt.num_attr = 0; p_result->get_app_val_txt.num_attr = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(num_vals, p); BE_STREAM_TO_UINT8(num_vals, p); if (num_vals > AVRC_MAX_APP_ATTR_SIZE) { if (num_vals > AVRC_MAX_APP_ATTR_SIZE) { num_vals = AVRC_MAX_APP_ATTR_SIZE; num_vals = AVRC_MAX_APP_ATTR_SIZE; Loading @@ -566,14 +674,32 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, AVRC_TRACE_DEBUG("%s value count = %d ", __func__, AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->get_app_val_txt.num_attr); p_result->get_app_val_txt.num_attr); p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc( p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_calloc( num_vals * sizeof(tAVRC_APP_SETTING_TEXT)); num_vals * sizeof(tAVRC_APP_SETTING_TEXT)); for (int i = 0; i < num_vals; i++) { for (int i = 0; i < num_vals; i++) { min_len += 4; if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_result->get_app_val_txt.p_attrs[j].p_str); } osi_free_and_reset((void**)&p_result->get_app_val_txt.p_attrs); p_result->get_app_val_txt.num_attr = 0; goto length_error; } BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p); BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p); BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p); BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p); BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].str_len, p); BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].str_len, p); min_len += p_result->get_app_val_txt.p_attrs[i].str_len; if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_result->get_app_val_txt.p_attrs[j].p_str); } osi_free_and_reset((void**)&p_result->get_app_val_txt.p_attrs); p_result->get_app_val_txt.num_attr = 0; goto length_error; } if (p_result->get_app_val_txt.p_attrs[i].str_len != 0) { if (p_result->get_app_val_txt.p_attrs[i].str_len != 0) { uint8_t* p_str = (uint8_t*)osi_malloc( uint8_t* p_str = (uint8_t*)osi_calloc( p_result->get_app_val_txt.p_attrs[i].str_len); p_result->get_app_val_txt.p_attrs[i].str_len); BE_STREAM_TO_ARRAY(p, p_str, BE_STREAM_TO_ARRAY(p, p_str, p_result->get_app_val_txt.p_attrs[i].str_len); p_result->get_app_val_txt.p_attrs[i].str_len); Loading @@ -595,20 +721,41 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_attrs.num_attrs = 0; p_result->get_attrs.num_attrs = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(num_attrs, p); BE_STREAM_TO_UINT8(num_attrs, p); p_result->get_attrs.num_attrs = num_attrs; p_result->get_attrs.num_attrs = num_attrs; if (num_attrs) { if (num_attrs) { tAVRC_ATTR_ENTRY* p_attrs = tAVRC_ATTR_ENTRY* p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc(num_attrs * sizeof(tAVRC_ATTR_ENTRY)); (tAVRC_ATTR_ENTRY*)osi_calloc(num_attrs * sizeof(tAVRC_ATTR_ENTRY)); for (int i = 0; i < num_attrs; i++) { for (int i = 0; i < num_attrs; i++) { min_len += 8; if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_attrs[j].name.p_str); } osi_free(p_attrs); p_result->get_attrs.num_attrs = 0; goto length_error; } BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p); BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p); BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p); BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p); BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p); BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p); min_len += p_attrs[i].name.str_len; if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_attrs[j].name.p_str); } osi_free(p_attrs); p_result->get_attrs.num_attrs = 0; goto length_error; } if (p_attrs[i].name.str_len > 0) { if (p_attrs[i].name.str_len > 0) { p_attrs[i].name.p_str = p_attrs[i].name.p_str = (uint8_t*)osi_malloc(p_attrs[i].name.str_len); (uint8_t*)osi_calloc(p_attrs[i].name.str_len); BE_STREAM_TO_ARRAY(p, p_attrs[i].name.p_str, BE_STREAM_TO_ARRAY(p, p_attrs[i].name.p_str, p_attrs[i].name.str_len); p_attrs[i].name.str_len); } else { p_attrs[i].name.p_str = NULL; } } } } p_result->get_attrs.p_attrs = p_attrs; p_result->get_attrs.p_attrs = p_attrs; Loading @@ -619,6 +766,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, if (len == 0) { if (len == 0) { break; break; } } min_len += 9; if (len < min_len) goto length_error; BE_STREAM_TO_UINT32(p_result->get_play_status.song_len, p); BE_STREAM_TO_UINT32(p_result->get_play_status.song_len, p); BE_STREAM_TO_UINT32(p_result->get_play_status.song_pos, p); BE_STREAM_TO_UINT32(p_result->get_play_status.song_pos, p); BE_STREAM_TO_UINT8(p_result->get_play_status.status, p); BE_STREAM_TO_UINT8(p_result->get_play_status.status, p); Loading @@ -636,6 +785,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, return AVRC_STS_BAD_CMD; return AVRC_STS_BAD_CMD; } } return AVRC_STS_NO_ERROR; return AVRC_STS_NO_ERROR; length_error: android_errorWriteLog(0x534e4554, "111450417"); AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d", __func__, len, min_len); return AVRC_STS_INTERNAL_ERR; } } /******************************************************************************* /******************************************************************************* Loading Loading
system/bta/ag/bta_ag_sdp.cc +0 −1 Original line number Original line Diff line number Diff line Loading @@ -471,7 +471,6 @@ void bta_ag_do_disc(tBTA_AG_SCB* p_scb, tBTA_SERVICE_MASK service) { if (p_scb->hsp_version >= HSP_VERSION_1_2) { if (p_scb->hsp_version >= HSP_VERSION_1_2) { uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET_HS); uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET_HS); num_uuid = 2; } else { } else { /* Legacy from HSP v1.0 */ /* Legacy from HSP v1.0 */ uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET); uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET); Loading
system/bta/hd/bta_hd_api.cc +5 −0 Original line number Original line Diff line number Diff line Loading @@ -27,6 +27,7 @@ #if defined(BTA_HD_INCLUDED) && (BTA_HD_INCLUDED == TRUE) #if defined(BTA_HD_INCLUDED) && (BTA_HD_INCLUDED == TRUE) #include <log/log.h> #include <stdio.h> #include <stdio.h> #include <stdlib.h> #include <stdlib.h> #include <string.h> #include <string.h> Loading Loading @@ -124,6 +125,10 @@ extern void BTA_HdRegisterApp(tBTA_HD_APP_INFO* p_app_info, p_buf->subclass = p_app_info->subclass; p_buf->subclass = p_app_info->subclass; if (p_app_info->descriptor.dl_len > BTA_HD_APP_DESCRIPTOR_LEN) { p_app_info->descriptor.dl_len = BTA_HD_APP_DESCRIPTOR_LEN; android_errorWriteLog(0x534e4554, "113111784"); } p_buf->d_len = p_app_info->descriptor.dl_len; p_buf->d_len = p_app_info->descriptor.dl_len; memcpy(p_buf->d_data, p_app_info->descriptor.dsc_list, memcpy(p_buf->d_data, p_app_info->descriptor.dsc_list, p_app_info->descriptor.dl_len); p_app_info->descriptor.dl_len); Loading
system/bta/hd/bta_hd_int.h +1 −1 Original line number Original line Diff line number Diff line Loading @@ -66,7 +66,7 @@ typedef struct { #define BTA_HD_APP_NAME_LEN 50 #define BTA_HD_APP_NAME_LEN 50 #define BTA_HD_APP_DESCRIPTION_LEN 50 #define BTA_HD_APP_DESCRIPTION_LEN 50 #define BTA_HD_APP_PROVIDER_LEN 50 #define BTA_HD_APP_PROVIDER_LEN 50 #define BTA_HD_APP_DESCRIPTOR_LEN 2048 #define BTA_HD_APP_DESCRIPTOR_LEN HIDD_APP_DESCRIPTOR_LEN #define BTA_HD_STATE_DISABLED 0x00 #define BTA_HD_STATE_DISABLED 0x00 #define BTA_HD_STATE_ENABLED 0x01 #define BTA_HD_STATE_ENABLED 0x01 Loading
system/btif/src/btif_hd.cc +15 −9 Original line number Original line Diff line number Diff line Loading @@ -25,15 +25,16 @@ * * * * ***********************************************************************************/ ***********************************************************************************/ #define LOG_TAG "BTIF_HD" #include <errno.h> #include <errno.h> #include <hardware/bluetooth.h> #include <hardware/bluetooth.h> #include <hardware/bt_hd.h> #include <hardware/bt_hd.h> #include <log/log.h> #include <stdio.h> #include <stdio.h> #include <stdlib.h> #include <stdlib.h> #include <string.h> #include <string.h> #define LOG_TAG "BTIF_HD" #include "bta_api.h" #include "bta_api.h" #include "bta_hd_api.h" #include "bta_hd_api.h" #include "bta_hh_api.h" #include "bta_hh_api.h" Loading Loading @@ -397,13 +398,18 @@ static bt_status_t register_app(bthd_app_param_t* p_app_param, return BT_STATUS_BUSY; return BT_STATUS_BUSY; } } app_info.p_name = (char*)osi_malloc(BTIF_HD_APP_NAME_LEN); if (strlen(p_app_param->name) >= BTIF_HD_APP_NAME_LEN || memcpy(app_info.p_name, p_app_param->name, BTIF_HD_APP_NAME_LEN); strlen(p_app_param->description) >= BTIF_HD_APP_DESCRIPTION_LEN || app_info.p_description = (char*)osi_malloc(BTIF_HD_APP_DESCRIPTION_LEN); strlen(p_app_param->provider) >= BTIF_HD_APP_PROVIDER_LEN) { memcpy(app_info.p_description, p_app_param->description, android_errorWriteLog(0x534e4554, "113037220"); } app_info.p_name = (char*)osi_calloc(BTIF_HD_APP_NAME_LEN); strlcpy(app_info.p_name, p_app_param->name, BTIF_HD_APP_NAME_LEN); app_info.p_description = (char*)osi_calloc(BTIF_HD_APP_DESCRIPTION_LEN); strlcpy(app_info.p_description, p_app_param->description, BTIF_HD_APP_DESCRIPTION_LEN); BTIF_HD_APP_DESCRIPTION_LEN); app_info.p_provider = (char*)osi_malloc(BTIF_HD_APP_PROVIDER_LEN); app_info.p_provider = (char*)osi_calloc(BTIF_HD_APP_PROVIDER_LEN); memcpy(app_info.p_provider, p_app_param->provider, BTIF_HD_APP_PROVIDER_LEN); strlcpy(app_info.p_provider, p_app_param->provider, BTIF_HD_APP_PROVIDER_LEN); app_info.subclass = p_app_param->subclass; app_info.subclass = p_app_param->subclass; app_info.descriptor.dl_len = p_app_param->desc_list_len; app_info.descriptor.dl_len = p_app_param->desc_list_len; app_info.descriptor.dsc_list = app_info.descriptor.dsc_list = Loading
system/stack/avrc/avrc_pars_ct.cc +171 −16 Original line number Original line Diff line number Diff line Loading @@ -29,6 +29,8 @@ * Global data * Global data ****************************************************************************/ ****************************************************************************/ #define MIN(x, y) ((x) < (y) ? (x) : (y)) /******************************************************************************* /******************************************************************************* * * * Function avrc_pars_vendor_rsp * Function avrc_pars_vendor_rsp Loading @@ -54,13 +56,33 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, if (p_msg->vendor_len == 0) return AVRC_STS_NO_ERROR; if (p_msg->vendor_len == 0) return AVRC_STS_NO_ERROR; if (p_msg->p_vendor_data == NULL) return AVRC_STS_INTERNAL_ERR; if (p_msg->p_vendor_data == NULL) return AVRC_STS_INTERNAL_ERR; if (p_msg->vendor_len < 4) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4", __func__, p_msg->vendor_len); return AVRC_STS_INTERNAL_ERR; } p = p_msg->p_vendor_data; p = p_msg->p_vendor_data; BE_STREAM_TO_UINT8(p_result->pdu, p); BE_STREAM_TO_UINT8(p_result->pdu, p); p++; /* skip the reserved/packe_type byte */ p++; /* skip the reserved/packe_type byte */ BE_STREAM_TO_UINT16(len, p); BE_STREAM_TO_UINT16(len, p); AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x", __func__, AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x vendor_len=0x%x", p_msg->hdr.ctype, p_result->pdu, len, len); __func__, p_msg->hdr.ctype, p_result->pdu, len, len, p_msg->vendor_len); if (p_msg->vendor_len < len + 4) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", __func__, p_msg->vendor_len, len + 4); return AVRC_STS_INTERNAL_ERR; } if (p_msg->hdr.ctype == AVRC_RSP_REJ) { if (p_msg->hdr.ctype == AVRC_RSP_REJ) { if (len < 1) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least 1", __func__, len); return AVRC_STS_INTERNAL_ERR; } p_result->rsp.status = *p; p_result->rsp.status = *p; return p_result->rsp.status; return p_result->rsp.status; } } Loading @@ -81,12 +103,26 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */ case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */ #if (AVRC_ADV_CTRL_INCLUDED == TRUE) #if (AVRC_ADV_CTRL_INCLUDED == TRUE) if (len < 1) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING( "%s: invalid parameter length %d: must be at least 1", __func__, len); return AVRC_STS_INTERNAL_ERR; } BE_STREAM_TO_UINT8(eventid, p); BE_STREAM_TO_UINT8(eventid, p); if (AVRC_EVT_VOLUME_CHANGE == eventid && if (AVRC_EVT_VOLUME_CHANGE == eventid && (AVRC_RSP_CHANGED == p_msg->hdr.ctype || (AVRC_RSP_CHANGED == p_msg->hdr.ctype || AVRC_RSP_INTERIM == p_msg->hdr.ctype || AVRC_RSP_INTERIM == p_msg->hdr.ctype || AVRC_RSP_REJ == p_msg->hdr.ctype || AVRC_RSP_REJ == p_msg->hdr.ctype || AVRC_RSP_NOT_IMPL == p_msg->hdr.ctype)) { AVRC_RSP_NOT_IMPL == p_msg->hdr.ctype)) { if (len < 2) { android_errorWriteLog(0x534e4554, "111450531"); AVRC_TRACE_WARNING( "%s: invalid parameter length %d: must be at least 2", __func__, len); return AVRC_STS_INTERNAL_ERR; } p_result->reg_notif.status = p_msg->hdr.ctype; p_result->reg_notif.status = p_msg->hdr.ctype; p_result->reg_notif.event_id = eventid; p_result->reg_notif.event_id = eventid; BE_STREAM_TO_UINT8(p_result->reg_notif.param.volume, p); BE_STREAM_TO_UINT8(p_result->reg_notif.param.volume, p); Loading @@ -103,24 +139,35 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, return status; return status; } } void avrc_parse_notification_rsp(uint8_t* p_stream, tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len, tAVRC_REG_NOTIF_RSP* p_rsp) { tAVRC_REG_NOTIF_RSP* p_rsp) { uint16_t min_len = 1; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream); BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream); switch (p_rsp->event_id) { switch (p_rsp->event_id) { case AVRC_EVT_PLAY_STATUS_CHANGE: case AVRC_EVT_PLAY_STATUS_CHANGE: min_len += 1; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_rsp->param.play_status, p_stream); BE_STREAM_TO_UINT8(p_rsp->param.play_status, p_stream); break; break; case AVRC_EVT_TRACK_CHANGE: case AVRC_EVT_TRACK_CHANGE: min_len += 8; if (len < min_len) goto length_error; BE_STREAM_TO_ARRAY(p_stream, p_rsp->param.track, 8); BE_STREAM_TO_ARRAY(p_stream, p_rsp->param.track, 8); break; break; case AVRC_EVT_APP_SETTING_CHANGE: case AVRC_EVT_APP_SETTING_CHANGE: min_len += 1; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_rsp->param.player_setting.num_attr, p_stream); BE_STREAM_TO_UINT8(p_rsp->param.player_setting.num_attr, p_stream); if (p_rsp->param.player_setting.num_attr > AVRC_MAX_APP_SETTINGS) { if (p_rsp->param.player_setting.num_attr > AVRC_MAX_APP_SETTINGS) { android_errorWriteLog(0x534e4554, "73782082"); android_errorWriteLog(0x534e4554, "73782082"); p_rsp->param.player_setting.num_attr = AVRC_MAX_APP_SETTINGS; p_rsp->param.player_setting.num_attr = AVRC_MAX_APP_SETTINGS; } } min_len += p_rsp->param.player_setting.num_attr * 2; if (len < min_len) goto length_error; for (int index = 0; index < p_rsp->param.player_setting.num_attr; for (int index = 0; index < p_rsp->param.player_setting.num_attr; index++) { index++) { BE_STREAM_TO_UINT8(p_rsp->param.player_setting.attr_id[index], BE_STREAM_TO_UINT8(p_rsp->param.player_setting.attr_id[index], Loading Loading @@ -153,6 +200,14 @@ void avrc_parse_notification_rsp(uint8_t* p_stream, default: default: break; break; } } return AVRC_STS_NO_ERROR; length_error: android_errorWriteLog(0x534e4554, "111450417"); AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d", __func__, len, min_len); return AVRC_STS_INTERNAL_ERR; } } static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, Loading Loading @@ -407,16 +462,32 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, tAVRC_RESPONSE* p_result, tAVRC_RESPONSE* p_result, uint8_t* p_buf, uint16_t* buf_len) { uint8_t* p_buf, uint16_t* buf_len) { if (p_msg->vendor_len < 4) { android_errorWriteLog(0x534e4554, "111450417"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4", __func__, p_msg->vendor_len); return AVRC_STS_INTERNAL_ERR; } uint8_t* p = p_msg->p_vendor_data; uint8_t* p = p_msg->p_vendor_data; BE_STREAM_TO_UINT8(p_result->pdu, p); BE_STREAM_TO_UINT8(p_result->pdu, p); p++; /* skip the reserved/packe_type byte */ p++; /* skip the reserved/packe_type byte */ uint16_t len; uint16_t len; uint16_t min_len = 0; BE_STREAM_TO_UINT16(len, p); BE_STREAM_TO_UINT16(len, p); AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d", __func__, p_msg->hdr.ctype, AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__, p_result->pdu, len); p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len); if (p_msg->vendor_len < len + 4) { android_errorWriteLog(0x534e4554, "111450417"); AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", __func__, p_msg->vendor_len, len + 4); return AVRC_STS_INTERNAL_ERR; } /* Todo: Issue in handling reject, check */ /* Todo: Issue in handling reject, check */ if (p_msg->hdr.ctype == AVRC_RSP_REJ) { if (p_msg->hdr.ctype == AVRC_RSP_REJ) { min_len += 1; if (len < min_len) goto length_error; p_result->rsp.status = *p; p_result->rsp.status = *p; return p_result->rsp.status; return p_result->rsp.status; } } Loading @@ -427,8 +498,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, /* case AVRC_PDU_ABORT_CONTINUATION_RSP: 0x41 */ /* case AVRC_PDU_ABORT_CONTINUATION_RSP: 0x41 */ case AVRC_PDU_REGISTER_NOTIFICATION: case AVRC_PDU_REGISTER_NOTIFICATION: avrc_parse_notification_rsp(p, &p_result->reg_notif); return avrc_parse_notification_rsp(p, len, &p_result->reg_notif); break; case AVRC_PDU_GET_CAPABILITIES: case AVRC_PDU_GET_CAPABILITIES: if (len == 0) { if (len == 0) { Loading @@ -436,12 +506,16 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_caps.capability_id = 0; p_result->get_caps.capability_id = 0; break; break; } } min_len += 2; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_result->get_caps.capability_id, p); BE_STREAM_TO_UINT8(p_result->get_caps.capability_id, p); BE_STREAM_TO_UINT8(p_result->get_caps.count, p); BE_STREAM_TO_UINT8(p_result->get_caps.count, p); AVRC_TRACE_DEBUG("%s cap id = %d, cap_count = %d ", __func__, AVRC_TRACE_DEBUG("%s cap id = %d, cap_count = %d ", __func__, p_result->get_caps.capability_id, p_result->get_caps.capability_id, p_result->get_caps.count); p_result->get_caps.count); if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) { if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) { min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3; if (len < min_len) goto length_error; for (int xx = 0; ((xx < p_result->get_caps.count) && for (int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_COMP_ID)); (xx < AVRC_CAP_MAX_NUM_COMP_ID)); xx++) { xx++) { Loading @@ -449,6 +523,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, } } } else if (p_result->get_caps.capability_id == } else if (p_result->get_caps.capability_id == AVRC_CAP_EVENTS_SUPPORTED) { AVRC_CAP_EVENTS_SUPPORTED) { min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID); if (len < min_len) goto length_error; for (int xx = 0; ((xx < p_result->get_caps.count) && for (int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_EVT_ID)); (xx < AVRC_CAP_MAX_NUM_EVT_ID)); xx++) { xx++) { Loading @@ -462,6 +538,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->list_app_attr.num_attr = 0; p_result->list_app_attr.num_attr = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p); BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p); AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->list_app_attr.num_attr); p_result->list_app_attr.num_attr); Loading @@ -471,6 +548,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE; p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE; } } min_len += p_result->list_app_attr.num_attr; if (len < min_len) goto length_error; for (int xx = 0; xx < p_result->list_app_attr.num_attr; xx++) { for (int xx = 0; xx < p_result->list_app_attr.num_attr; xx++) { BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p); BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p); } } Loading @@ -481,6 +560,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->list_app_values.num_val = 0; p_result->list_app_values.num_val = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p); BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p); if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) { if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) { android_errorWriteLog(0x534e4554, "78526423"); android_errorWriteLog(0x534e4554, "78526423"); Loading @@ -489,6 +569,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, AVRC_TRACE_DEBUG("%s value count = %d ", __func__, AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->list_app_values.num_val); p_result->list_app_values.num_val); min_len += p_result->list_app_values.num_val; if (len < min_len) goto length_error; for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) { for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) { BE_STREAM_TO_UINT8(p_result->list_app_values.vals[xx], p); BE_STREAM_TO_UINT8(p_result->list_app_values.vals[xx], p); } } Loading @@ -499,9 +581,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_cur_app_val.num_val = 0; p_result->get_cur_app_val.num_val = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(p_result->get_cur_app_val.num_val, p); BE_STREAM_TO_UINT8(p_result->get_cur_app_val.num_val, p); tAVRC_APP_SETTING* app_sett = (tAVRC_APP_SETTING*)osi_malloc( p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING)); AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_cur_app_val.num_val); p_result->get_cur_app_val.num_val); Loading @@ -510,6 +591,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE; p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE; } } min_len += p_result->get_cur_app_val.num_val * 2; if (len < min_len) { p_result->get_cur_app_val.num_val = 0; goto length_error; } tAVRC_APP_SETTING* app_sett = (tAVRC_APP_SETTING*)osi_calloc( p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING)); for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) { for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) { BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p); BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p); BE_STREAM_TO_UINT8(app_sett[xx].attr_val, p); BE_STREAM_TO_UINT8(app_sett[xx].attr_val, p); Loading @@ -524,6 +612,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_app_attr_txt.num_attr = 0; p_result->get_app_attr_txt.num_attr = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(num_attrs, p); BE_STREAM_TO_UINT8(num_attrs, p); if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) { if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) { num_attrs = AVRC_MAX_APP_ATTR_SIZE; num_attrs = AVRC_MAX_APP_ATTR_SIZE; Loading @@ -532,15 +621,33 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_app_attr_txt.num_attr); p_result->get_app_attr_txt.num_attr); p_result->get_app_attr_txt.num_attr = num_attrs; p_result->get_app_attr_txt.num_attr = num_attrs; p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc( p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_calloc( num_attrs * sizeof(tAVRC_APP_SETTING_TEXT)); num_attrs * sizeof(tAVRC_APP_SETTING_TEXT)); for (int xx = 0; xx < num_attrs; xx++) { for (int xx = 0; xx < num_attrs; xx++) { min_len += 4; if (len < min_len) { for (int j = 0; j < xx; j++) { osi_free(p_result->get_app_attr_txt.p_attrs[j].p_str); } osi_free_and_reset((void**)&p_result->get_app_attr_txt.p_attrs); p_result->get_app_attr_txt.num_attr = 0; goto length_error; } BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p); BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p); BE_STREAM_TO_UINT16(p_result->get_app_attr_txt.p_attrs[xx].charset_id, BE_STREAM_TO_UINT16(p_result->get_app_attr_txt.p_attrs[xx].charset_id, p); p); BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].str_len, p); BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].str_len, p); min_len += p_result->get_app_attr_txt.p_attrs[xx].str_len; if (len < min_len) { for (int j = 0; j < xx; j++) { osi_free(p_result->get_app_attr_txt.p_attrs[j].p_str); } osi_free_and_reset((void**)&p_result->get_app_attr_txt.p_attrs); p_result->get_app_attr_txt.num_attr = 0; goto length_error; } if (p_result->get_app_attr_txt.p_attrs[xx].str_len != 0) { if (p_result->get_app_attr_txt.p_attrs[xx].str_len != 0) { uint8_t* p_str = (uint8_t*)osi_malloc( uint8_t* p_str = (uint8_t*)osi_calloc( p_result->get_app_attr_txt.p_attrs[xx].str_len); p_result->get_app_attr_txt.p_attrs[xx].str_len); BE_STREAM_TO_ARRAY(p, p_str, BE_STREAM_TO_ARRAY(p, p_str, p_result->get_app_attr_txt.p_attrs[xx].str_len); p_result->get_app_attr_txt.p_attrs[xx].str_len); Loading @@ -558,6 +665,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_app_val_txt.num_attr = 0; p_result->get_app_val_txt.num_attr = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(num_vals, p); BE_STREAM_TO_UINT8(num_vals, p); if (num_vals > AVRC_MAX_APP_ATTR_SIZE) { if (num_vals > AVRC_MAX_APP_ATTR_SIZE) { num_vals = AVRC_MAX_APP_ATTR_SIZE; num_vals = AVRC_MAX_APP_ATTR_SIZE; Loading @@ -566,14 +674,32 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, AVRC_TRACE_DEBUG("%s value count = %d ", __func__, AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->get_app_val_txt.num_attr); p_result->get_app_val_txt.num_attr); p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc( p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_calloc( num_vals * sizeof(tAVRC_APP_SETTING_TEXT)); num_vals * sizeof(tAVRC_APP_SETTING_TEXT)); for (int i = 0; i < num_vals; i++) { for (int i = 0; i < num_vals; i++) { min_len += 4; if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_result->get_app_val_txt.p_attrs[j].p_str); } osi_free_and_reset((void**)&p_result->get_app_val_txt.p_attrs); p_result->get_app_val_txt.num_attr = 0; goto length_error; } BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p); BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p); BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p); BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p); BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].str_len, p); BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].str_len, p); min_len += p_result->get_app_val_txt.p_attrs[i].str_len; if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_result->get_app_val_txt.p_attrs[j].p_str); } osi_free_and_reset((void**)&p_result->get_app_val_txt.p_attrs); p_result->get_app_val_txt.num_attr = 0; goto length_error; } if (p_result->get_app_val_txt.p_attrs[i].str_len != 0) { if (p_result->get_app_val_txt.p_attrs[i].str_len != 0) { uint8_t* p_str = (uint8_t*)osi_malloc( uint8_t* p_str = (uint8_t*)osi_calloc( p_result->get_app_val_txt.p_attrs[i].str_len); p_result->get_app_val_txt.p_attrs[i].str_len); BE_STREAM_TO_ARRAY(p, p_str, BE_STREAM_TO_ARRAY(p, p_str, p_result->get_app_val_txt.p_attrs[i].str_len); p_result->get_app_val_txt.p_attrs[i].str_len); Loading @@ -595,20 +721,41 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_attrs.num_attrs = 0; p_result->get_attrs.num_attrs = 0; break; break; } } min_len += 1; BE_STREAM_TO_UINT8(num_attrs, p); BE_STREAM_TO_UINT8(num_attrs, p); p_result->get_attrs.num_attrs = num_attrs; p_result->get_attrs.num_attrs = num_attrs; if (num_attrs) { if (num_attrs) { tAVRC_ATTR_ENTRY* p_attrs = tAVRC_ATTR_ENTRY* p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc(num_attrs * sizeof(tAVRC_ATTR_ENTRY)); (tAVRC_ATTR_ENTRY*)osi_calloc(num_attrs * sizeof(tAVRC_ATTR_ENTRY)); for (int i = 0; i < num_attrs; i++) { for (int i = 0; i < num_attrs; i++) { min_len += 8; if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_attrs[j].name.p_str); } osi_free(p_attrs); p_result->get_attrs.num_attrs = 0; goto length_error; } BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p); BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p); BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p); BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p); BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p); BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p); min_len += p_attrs[i].name.str_len; if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_attrs[j].name.p_str); } osi_free(p_attrs); p_result->get_attrs.num_attrs = 0; goto length_error; } if (p_attrs[i].name.str_len > 0) { if (p_attrs[i].name.str_len > 0) { p_attrs[i].name.p_str = p_attrs[i].name.p_str = (uint8_t*)osi_malloc(p_attrs[i].name.str_len); (uint8_t*)osi_calloc(p_attrs[i].name.str_len); BE_STREAM_TO_ARRAY(p, p_attrs[i].name.p_str, BE_STREAM_TO_ARRAY(p, p_attrs[i].name.p_str, p_attrs[i].name.str_len); p_attrs[i].name.str_len); } else { p_attrs[i].name.p_str = NULL; } } } } p_result->get_attrs.p_attrs = p_attrs; p_result->get_attrs.p_attrs = p_attrs; Loading @@ -619,6 +766,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, if (len == 0) { if (len == 0) { break; break; } } min_len += 9; if (len < min_len) goto length_error; BE_STREAM_TO_UINT32(p_result->get_play_status.song_len, p); BE_STREAM_TO_UINT32(p_result->get_play_status.song_len, p); BE_STREAM_TO_UINT32(p_result->get_play_status.song_pos, p); BE_STREAM_TO_UINT32(p_result->get_play_status.song_pos, p); BE_STREAM_TO_UINT8(p_result->get_play_status.status, p); BE_STREAM_TO_UINT8(p_result->get_play_status.status, p); Loading @@ -636,6 +785,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, return AVRC_STS_BAD_CMD; return AVRC_STS_BAD_CMD; } } return AVRC_STS_NO_ERROR; return AVRC_STS_NO_ERROR; length_error: android_errorWriteLog(0x534e4554, "111450417"); AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d", __func__, len, min_len); return AVRC_STS_INTERNAL_ERR; } } /******************************************************************************* /******************************************************************************* Loading
