Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6308ac32 authored by Sal Savage's avatar Sal Savage
Browse files

Fix BT a bad/ out of bounds array read 

Bug: 121375525
Test: Used automotive hardware and verified that pairing and media
      streaming and control still work and crashes no longer happen.
Change-Id: I3476425131718aded980f57a8b9be92a8e9f9d3b
parent f58c174c

system/bta/av/bta_av_act.cc

+8 −1
Original line number Original line Diff line number Diff line
@@ -314,12 +314,19 @@ uint8_t bta_av_rc_create(tBTA_AV_CB* p_cb, uint8_t role, uint8_t shdl, 
  tAVRC_CONN_CB ccb;

  tAVRC_CONN_CB ccb;

  RawAddress bda = RawAddress::kAny;

  RawAddress bda = RawAddress::kAny;

  uint8_t status = BTA_AV_RC_ROLE_ACP;

  uint8_t status = BTA_AV_RC_ROLE_ACP;

  tBTA_AV_SCB* p_scb = p_cb->p_scb[shdl - 1];

  int i;

  int i;

  uint8_t rc_handle;

  uint8_t rc_handle;

  tBTA_AV_RCB* p_rcb;

  tBTA_AV_RCB* p_rcb;





  if (role == AVCT_INT) {

  if (role == AVCT_INT) {

    // Can't grab a stream control block that doesn't have a valid handle

    if (!shdl) {

      APPL_TRACE_ERROR(

          "%s: Can't grab stream control block for shdl = %d -> index = %d",

          __func__, shdl, shdl - 1);

      return BTA_AV_RC_HANDLE_NONE;

    }

    tBTA_AV_SCB* p_scb = p_cb->p_scb[shdl - 1];

    bda = p_scb->PeerAddress();

    bda = p_scb->PeerAddress();

    status = BTA_AV_RC_ROLE_INT;

    status = BTA_AV_RC_ROLE_INT;

  } else {

  } else {