Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 789d4bc6 authored by Brian Delwiche's avatar Brian Delwiche
Browse files

Add bounds check in avdt_scb_act.cc 

Bug: 242535997
Test: BT unit tests, validated against researcher POC
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Id3b665da0214e3c93f277e31077214fcd1d936e7
parent ccf02490

system/stack/avdt/avdt_scb_act.cc

+5 −0
Original line number Diff line number Diff line
@@ -1023,6 +1023,11 @@ void avdt_scb_hdl_write_req(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) { 


  /* Build a media packet, and add an RTP header if required. */

  if (add_rtp_header) {

    if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) {

      android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0);

      return;

    }



    ssrc = avdt_scb_gen_ssrc(p_scb);



    p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;