Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 98381956 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Fix a few OOB bugs in avrc_bld_get_folder_items_rsp" into tm-dev am:... 

Merge "Fix a few OOB bugs in avrc_bld_get_folder_items_rsp" into tm-dev am: 35b7a201 am: 165c3b7e am: 49af7137

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22605431



Change-Id: I7a78f8fa95ef546943167b26eb9b731385c078db
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents acfe28b2 49af7137

system/stack/avrc/avrc_bld_tg.cc

+18 −3
Original line number Diff line number Diff line
@@ -906,7 +906,7 @@ static tAVRC_STS avrc_bld_get_folder_items_rsp(tAVRC_GET_ITEMS_RSP* p_rsp, 
  uint8_t *p_data, *p_start;

  uint8_t *p_len, xx;

  uint16_t len;

  uint16_t item_len;

  size_t item_len;

  uint8_t *p_item_len, yy;

  tAVRC_ITEM_PLAYER* p_player;

  tAVRC_ITEM_FOLDER* p_folder;
@@ -927,6 +927,15 @@ static tAVRC_STS avrc_bld_get_folder_items_rsp(tAVRC_GET_ITEMS_RSP* p_rsp, 
  p = (uint8_t*)(p_pkt + 1);

  BE_STREAM_TO_UINT16(mtu, p);

  if (len_left > mtu) len_left = mtu;



  // according to spec

  // Version 5.3 | Vol 3, Part A, Chapter 5

  // MTU may be controlled by the peer

  if (len_left < p_pkt->offset  + p_pkt->len) {

    AVRC_TRACE_ERROR("memory not enough (len_left=%d)", len_left);

    return AVRC_STS_INTERNAL_ERR;

  }



  len_left = len_left - p_pkt->offset - p_pkt->len;



  /* get the existing length, if any, and also the num attributes */
@@ -943,6 +952,12 @@ static tAVRC_STS avrc_bld_get_folder_items_rsp(tAVRC_GET_ITEMS_RSP* p_rsp, 
    item_count = 0;

    p_data += 2;

    len = 5;



    if (len_left < 5) {

      AVRC_TRACE_ERROR("memory not enough (len_left=%d)", len_left);

      return AVRC_STS_INTERNAL_ERR;

    }



    len_left -= 5;

  } else {

    p_data = p_start + p_pkt->len;
@@ -1035,8 +1050,8 @@ static tAVRC_STS avrc_bld_get_folder_items_rsp(tAVRC_GET_ITEMS_RSP* p_rsp, 
        p_attr = p_media->p_attr_list;

        for (yy = 0; yy < p_media->attr_count; yy++) {

          /* len required: 4 + 2 + 2 + str_len */

          const uint16_t attribute_len = p_attr[yy].name.str_len + 8;

          if (item_len_left < attribute_len || !p_attr[yy].name.p_str ||

          const size_t attribute_len = p_attr[yy].name.str_len + 8;

          if (attribute_len_left < attribute_len || !p_attr[yy].name.p_str ||

              AVRC_IS_VALID_MEDIA_ATTRIBUTE(p_attr[yy].attr_id)) {

            if (attribute_len_left < attribute_len && item_count > 0) {

              multi_items_add_fail = true;