Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 44262377 authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc am: b0d7d4e8 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20657355



Change-Id: I9e904a6c2544ce8b07dc38d7dc43d74c6d36c25b
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents c6da16f2 b0d7d4e8

system/stack/a2dp/a2dp_sbc.cc

+5 −0
Original line number Diff line number Diff line
@@ -696,6 +696,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info, 
    return false;

  }



  // there is an 4-byte timestamp right following p_buf

  if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {

    return false;

  }



  p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;

  uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;

  p_buf->len += A2DP_SBC_MPL_HDR_LEN;