[automerger] Add checks whether the AVDTP element data length is valid am:... (383e2ea6) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/avdt/avdt_msg.c

+11 −0

Original line number	Original line	Diff line number	Diff line
	@@ -26,6 +26,7 @@
	*		*
	******************************************************************************/		******************************************************************************/

			#include <log/log.h>
	#include <string.h>		#include <string.h>
	#include "bt_types.h"		#include "bt_types.h"
	#include "bt_target.h"		#include "bt_target.h"
	@@ -673,6 +674,11 @@ static UINT8 avdt_msg_prs_cfg(tAVDT_CFG p_cfg, UINT8 p, UINT16 len, UINT8* p_e

	case AVDT_CAT_PROTECT:		case AVDT_CAT_PROTECT:
	p_cfg->psc_mask &= ~AVDT_PSC_PROTECT;		p_cfg->psc_mask &= ~AVDT_PSC_PROTECT;
			if (p + elem_len > p_end) {
			err = AVDT_ERR_LENGTH;
			android_errorWriteLog(0x534e4554, "78288378");
			break;
			}
	if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE)		if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE)
	{		{
	p_cfg->num_protect++;		p_cfg->num_protect++;
	@@ -747,6 +753,11 @@ static UINT8 avdt_msg_prs_cfg(tAVDT_CFG p_cfg, UINT8 p, UINT16 len, UINT8* p_e
	{		{
	tmp = AVDT_CODEC_SIZE - 1;		tmp = AVDT_CODEC_SIZE - 1;
	}		}
			if (p + tmp > p_end) {
			err = AVDT_ERR_LENGTH;
			android_errorWriteLog(0x534e4554, "78288378");
			break;
			}
	p_cfg->num_codec++;		p_cfg->num_codec++;
	p_cfg->codec_info[0] = elem_len;		p_cfg->codec_info[0] = elem_len;
	memcpy(&p_cfg->codec_info[1], p, tmp);		memcpy(&p_cfg->codec_info[1], p, tmp);