Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b0d7d4e8 authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc 

In  A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
`-=` operation on it may result in integer underflow and
OOB write with the computed pointer passed to
A2DP_BuildMediaPayloadHeaderSbc.

The regression test is I2e026025ce49a02280dfcacd08f4bfc1b5d12264

Bug: 186803518
Test: atest net_test_stack_a2dp_codecs_native
Ignore-AOSP-First: security
Merged-In: I45320085b1e458d3b0e0d86162a35aaaae7b34cb
Change-Id: I45320085b1e458d3b0e0d86162a35aaaae7b34cb
parent 0494f1ab

system/stack/a2dp/a2dp_sbc.cc

+5 −0
Original line number Diff line number Diff line
@@ -696,6 +696,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info, 
    return false;

  }



  // there is an 4-byte timestamp right following p_buf

  if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {

    return false;

  }



  p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;

  uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;

  p_buf->len += A2DP_SBC_MPL_HDR_LEN;