Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5b1f972a authored by Android Build Coastguard Worker's avatar Android Build Coastguard Worker
Browse files

Snap for 9111705 from d59ab29d to tm-qpr1-release

Change-Id: I4093bf3cc8175047889ca5b9df22474aa1115890
parents ed33458b d59ab29d
Loading
Loading
Loading
Loading
+5 −1
Original line number Diff line number Diff line
@@ -706,6 +706,7 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
  BT_HDR* pdata = p_data->hid_cback.p_data;
  uint8_t* data = (uint8_t*)(pdata + 1) + pdata->offset;
  tBTA_HH_HSDATA hs_data;
  bool do_free = true;

  APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]",
                   bta_hh_get_w4_event(p_cb->w4_evt));
@@ -726,6 +727,7 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
      hs_data.rsp_data.p_rpt_data = pdata;
      bta_hh_co_get_rpt_rsp(hs_data.handle, hs_data.status, pdata->data,
                            pdata->len);
      do_free = false;
      break;
    case BTA_HH_GET_PROTO_EVT:
      /* match up BTE/BTA report/boot mode def*/
@@ -757,8 +759,10 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
  (*bta_hh_cb.p_cback)(p_cb->w4_evt, (tBTA_HH*)&hs_data);

  p_cb->w4_evt = 0;
  if (do_free) {
    osi_free_and_reset((void**)&pdata);
  }
}

/*******************************************************************************
 *
+4 −0
Original line number Diff line number Diff line
@@ -893,6 +893,10 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
        BTIF_TRACE_WARNING("Error: cannot find device with handle %d",
                           p_data->hs_data.handle);
      }
      if (hdr) {
        osi_free(hdr);
        p_data->hs_data.rsp_data.p_rpt_data = NULL;
      }
      break;
    }

+1 −1
Original line number Diff line number Diff line
@@ -317,7 +317,7 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) {
  uint8_t* p_start = p;
  uint32_t ssrc;
  uint8_t o_v, o_p, o_cc;
  uint16_t min_len = 0;
  uint32_t min_len = 0;
  AVDT_REPORT_TYPE pt;
  tAVDT_REPORT_DATA report;

+11 −28
Original line number Diff line number Diff line
@@ -141,7 +141,7 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,

tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len,
                                      tAVRC_REG_NOTIF_RSP* p_rsp) {
  uint16_t min_len = 1;
  uint32_t min_len = 1;

  if (len < min_len) goto length_error;
  BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream);
@@ -237,7 +237,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
  }
  BE_STREAM_TO_UINT8(pdu, p);
  uint16_t pkt_len;
  uint16_t min_len = 0;
  uint32_t min_len = 0;
  /* read the entire packet len */
  BE_STREAM_TO_UINT16(pkt_len, p);

@@ -279,7 +279,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
          get_item_rsp->uid_counter, get_item_rsp->item_count);

      /* get each of the items */
      get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc(
      get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_calloc(
          get_item_rsp->item_count * (sizeof(tAVRC_ITEM)));
      tAVRC_ITEM* curr_item = get_item_rsp->p_item_list;
      for (int i = 0; i < get_item_rsp->item_count; i++) {
@@ -369,7 +369,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
                             __func__, media->type, media->name.charset_id,
                             media->name.str_len, media->attr_count);

            media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc(
            media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_calloc(
                media->attr_count * sizeof(tAVRC_ATTR_ENTRY));
            for (int jk = 0; jk < media->attr_count; jk++) {
              tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]);
@@ -380,14 +380,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
              /* Parse the name now */
              BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
              BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
              if (static_cast<uint16_t>(min_len + attr_entry->name.str_len) <
                  min_len) {
                // Check for overflow
                android_errorWriteLog(0x534e4554, "205570663");
              }
              if (pkt_len - min_len < attr_entry->name.str_len)
                goto browse_length_error;
              min_len += attr_entry->name.str_len;
              if (pkt_len < min_len) goto browse_length_error;
              attr_entry->name.p_str = (uint8_t*)osi_malloc(
                  attr_entry->name.str_len * sizeof(uint8_t));
              BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str,
@@ -441,7 +435,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
      }
      BE_STREAM_TO_UINT8(get_attr_rsp->status, p)
      BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p);
      get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc(
      get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_calloc(
          get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY));
      for (int i = 0; i < get_attr_rsp->num_attrs; i++) {
        tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]);
@@ -450,14 +444,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
        BE_STREAM_TO_UINT32(attr_entry->attr_id, p);
        BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
        BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
        if (static_cast<uint16_t>(min_len + attr_entry->name.str_len) <
            min_len) {
          // Check for overflow
          android_errorWriteLog(0x534e4554, "205570663");
        }
        if (pkt_len - min_len < attr_entry->name.str_len)
          goto browse_length_error;
        min_len += attr_entry->name.str_len;
        if (pkt_len < min_len) goto browse_length_error;
        attr_entry->name.p_str =
            (uint8_t*)osi_malloc(attr_entry->name.str_len * sizeof(uint8_t));
        BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str, attr_entry->name.str_len);
@@ -493,7 +481,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
          __func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items,
          set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth);

      set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc(
      set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_calloc(
          set_br_pl_rsp->folder_depth * sizeof(tAVRC_NAME));

      /* Read each of the folder in the depth */
@@ -553,7 +541,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
  p++; /* skip the reserved/packe_type byte */

  uint16_t len;
  uint16_t min_len = 0;
  uint32_t min_len = 0;
  BE_STREAM_TO_UINT16(len, p);
  AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d  vendor_len=0x%x", __func__,
                   p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len);
@@ -827,12 +815,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
          BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p);
          BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p);
          BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p);
          if (static_cast<uint16_t>(min_len + p_attrs[i].name.str_len) <
              min_len) {
            // Check for overflow
            android_errorWriteLog(0x534e4554, "205570663");
          }
          if (len - min_len < p_attrs[i].name.str_len) {
          min_len += p_attrs[i].name.str_len;
          if (len < min_len) {
            for (int j = 0; j < i; j++) {
              osi_free(p_attrs[j].name.p_str);
            }
@@ -840,7 +824,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
            p_result->get_attrs.num_attrs = 0;
            goto length_error;
          }
          min_len += p_attrs[i].name.str_len;
          if (p_attrs[i].name.str_len > 0) {
            p_attrs[i].name.p_str =
                (uint8_t*)osi_calloc(p_attrs[i].name.str_len);
+1 −1
Original line number Diff line number Diff line
@@ -443,7 +443,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
  uint8_t* p = p_msg->p_browse_data;
  int count;

  uint16_t min_len = 3;
  uint32_t min_len = 3;
  RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
                         "msg too short");