Snap for 9111705 from d59ab29d66666424b15ffca79a9f3749ca226259 to tm-qpr1-release (5b1f972a) · Commits · e / os / android_packages_modules_Bluetooth

system/bta/hh/bta_hh_act.cc

+5 −1

Original line number	Diff line number	Diff line
		@@ -706,6 +706,7 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
		BT_HDR* pdata = p_data->hid_cback.p_data;
		uint8_t* data = (uint8_t*)(pdata + 1) + pdata->offset;
		tBTA_HH_HSDATA hs_data;
		bool do_free = true;

		APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]",
		bta_hh_get_w4_event(p_cb->w4_evt));
		@@ -726,6 +727,7 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
		hs_data.rsp_data.p_rpt_data = pdata;
		bta_hh_co_get_rpt_rsp(hs_data.handle, hs_data.status, pdata->data,
		pdata->len);
		do_free = false;
		break;
		case BTA_HH_GET_PROTO_EVT:
		/* match up BTE/BTA report/boot mode def*/
		@@ -757,8 +759,10 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, const tBTA_HH_DATA* p_data) {
		(bta_hh_cb.p_cback)(p_cb->w4_evt, (tBTA_HH)&hs_data);

		p_cb->w4_evt = 0;
		if (do_free) {
		osi_free_and_reset((void**)&pdata);
		}
		}

		/*******************************************************************************
		*

system/btif/src/btif_hh.cc

+4 −0

Original line number	Diff line number	Diff line
		@@ -893,6 +893,10 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
		BTIF_TRACE_WARNING("Error: cannot find device with handle %d",
		p_data->hs_data.handle);
		}
		if (hdr) {
		osi_free(hdr);
		p_data->hs_data.rsp_data.p_rpt_data = NULL;
		}
		break;
		}

system/stack/avdt/avdt_scb_act.cc

+1 −1

Original line number	Diff line number	Diff line
		@@ -317,7 +317,7 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) {
		uint8_t* p_start = p;
		uint32_t ssrc;
		uint8_t o_v, o_p, o_cc;
		uint16_t min_len = 0;
		uint32_t min_len = 0;
		AVDT_REPORT_TYPE pt;
		tAVDT_REPORT_DATA report;

system/stack/avrc/avrc_pars_ct.cc

+11 −28

Original line number	Diff line number	Diff line
		@@ -141,7 +141,7 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,

		tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len,
		tAVRC_REG_NOTIF_RSP* p_rsp) {
		uint16_t min_len = 1;
		uint32_t min_len = 1;

		if (len < min_len) goto length_error;
		BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream);
		@@ -237,7 +237,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
		}
		BE_STREAM_TO_UINT8(pdu, p);
		uint16_t pkt_len;
		uint16_t min_len = 0;
		uint32_t min_len = 0;
		/* read the entire packet len */
		BE_STREAM_TO_UINT16(pkt_len, p);

		@@ -279,7 +279,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
		get_item_rsp->uid_counter, get_item_rsp->item_count);

		/* get each of the items */
		get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc(
		get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_calloc(
		get_item_rsp->item_count * (sizeof(tAVRC_ITEM)));
		tAVRC_ITEM* curr_item = get_item_rsp->p_item_list;
		for (int i = 0; i < get_item_rsp->item_count; i++) {
		@@ -369,7 +369,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
		__func__, media->type, media->name.charset_id,
		media->name.str_len, media->attr_count);

		media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc(
		media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_calloc(
		media->attr_count * sizeof(tAVRC_ATTR_ENTRY));
		for (int jk = 0; jk < media->attr_count; jk++) {
		tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]);
		@@ -380,14 +380,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
		/* Parse the name now */
		BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
		BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
		if (static_cast<uint16_t>(min_len + attr_entry->name.str_len) <
		min_len) {
		// Check for overflow
		android_errorWriteLog(0x534e4554, "205570663");
		}
		if (pkt_len - min_len < attr_entry->name.str_len)
		goto browse_length_error;
		min_len += attr_entry->name.str_len;
		if (pkt_len < min_len) goto browse_length_error;
		attr_entry->name.p_str = (uint8_t*)osi_malloc(
		attr_entry->name.str_len * sizeof(uint8_t));
		BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str,
		@@ -441,7 +435,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
		}
		BE_STREAM_TO_UINT8(get_attr_rsp->status, p)
		BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p);
		get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc(
		get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_calloc(
		get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY));
		for (int i = 0; i < get_attr_rsp->num_attrs; i++) {
		tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]);
		@@ -450,14 +444,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
		BE_STREAM_TO_UINT32(attr_entry->attr_id, p);
		BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
		BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
		if (static_cast<uint16_t>(min_len + attr_entry->name.str_len) <
		min_len) {
		// Check for overflow
		android_errorWriteLog(0x534e4554, "205570663");
		}
		if (pkt_len - min_len < attr_entry->name.str_len)
		goto browse_length_error;
		min_len += attr_entry->name.str_len;
		if (pkt_len < min_len) goto browse_length_error;
		attr_entry->name.p_str =
		(uint8_t)osi_malloc(attr_entry->name.str_len sizeof(uint8_t));
		BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str, attr_entry->name.str_len);
		@@ -493,7 +481,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
		__func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items,
		set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth);

		set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc(
		set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_calloc(
		set_br_pl_rsp->folder_depth * sizeof(tAVRC_NAME));

		/* Read each of the folder in the depth */
		@@ -553,7 +541,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
		p++; /* skip the reserved/packe_type byte */

		uint16_t len;
		uint16_t min_len = 0;
		uint32_t min_len = 0;
		BE_STREAM_TO_UINT16(len, p);
		AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__,
		p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len);
		@@ -827,12 +815,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
		BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p);
		BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p);
		BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p);
		if (static_cast<uint16_t>(min_len + p_attrs[i].name.str_len) <
		min_len) {
		// Check for overflow
		android_errorWriteLog(0x534e4554, "205570663");
		}
		if (len - min_len < p_attrs[i].name.str_len) {
		min_len += p_attrs[i].name.str_len;
		if (len < min_len) {
		for (int j = 0; j < i; j++) {
		osi_free(p_attrs[j].name.p_str);
		}
		@@ -840,7 +824,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
		p_result->get_attrs.num_attrs = 0;
		goto length_error;
		}
		min_len += p_attrs[i].name.str_len;
		if (p_attrs[i].name.str_len > 0) {
		p_attrs[i].name.p_str =
		(uint8_t*)osi_calloc(p_attrs[i].name.str_len);

system/stack/avrc/avrc_pars_tg.cc

+1 −1

Original line number	Diff line number	Diff line
		@@ -443,7 +443,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
		uint8_t* p = p_msg->p_browse_data;
		int count;

		uint16_t min_len = 3;
		uint32_t min_len = 3;
		RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
		"msg too short");