Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa879e3b authored Jan 12, 2023 by Can Chen Committed by 陈璨 Jul 04, 2023

Fix coverity scan issue: uninitialized scalar variable

[Description]
Issue type: uninitialized scalar variable

[Root Cause]
In function bta_av_rc_msg(), av.remote_rsp.len and av.remote_rsp.p_data are uninitialized if this VENDOR cmd is not implemented by peer.
While in function handle_rc_vendorunique_rsp(), p_remote_rsp->len may be greater than 0 and call osi_free_and_reset()

[Solution]
Initialize the len and p_data.
Adding code to judge this case, avoid free null pointer.

Bug: 270276349
Test: atest net_test_btif_rc pass
Test: atest net_test_stack pass

Change-Id: Ic3aa23b4e5c17147f5c2d489abb0da43aa5561ce

parent 60f87b20

system/bta/av/bta_av_act.cc

+2 −0

Original line number	Diff line number	Diff line
		@@ -1040,6 +1040,8 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) {
		av.remote_rsp.key_state = p_data->rc_msg.msg.pass.state;
		av.remote_rsp.rsp_code = p_data->rc_msg.msg.hdr.ctype;
		av.remote_rsp.label = p_data->rc_msg.label;
		av.remote_rsp.len = p_data->rc_msg.msg.pass.pass_len;
		av.remote_rsp.p_data = NULL;

		/* If this response is for vendor unique command */
		if ((p_data->rc_msg.msg.pass.op_id == AVRC_ID_VENDOR) &&

system/btif/src/btif_rc.cc

+1 −1

Original line number	Diff line number	Diff line
		@@ -1070,7 +1070,7 @@ void handle_rc_vendorunique_rsp(tBTA_AV_REMOTE_RSP* p_remote_rsp) {
		key_state = 0;
		}

		if (p_remote_rsp->len > 0) {
		if (p_remote_rsp->len > 0 && p_remote_rsp->p_data != NULL) {
		if (p_remote_rsp->len >= AVRC_PASS_THRU_GROUP_LEN)
		vendor_id = p_remote_rsp->p_data[AVRC_PASS_THRU_GROUP_LEN - 1];
		osi_free_and_reset((void**)&p_remote_rsp->p_data);