Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b74afd0b authored by Android Build Merger (Role)'s avatar Android Build Merger (Role)
Browse files

[automerger] DO NOT MERGE - Check data length when parsing AVRCP vendor... 

[automerger] DO NOT MERGE - Check data length when parsing AVRCP vendor specific command responses am: ffc0d8f9 am: 8362c781 am: a3266f83 am: 4275830b

Change-Id: I1fd09d0eefdffd0670f217aaf2a674abc7bc829a
parents e46ef074 4275830b

system/stack/avrc/avrc_pars_ct.c

+36 −2
Original line number Diff line number Diff line
@@ -56,14 +56,34 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p 
    if (p_msg->p_vendor_data == NULL)

        return AVRC_STS_INTERNAL_ERR;



    if (p_msg->vendor_len < 4) {

        android_errorWriteLog(0x534e4554, "111450531");

        AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",

                           __func__, p_msg->vendor_len);

        return AVRC_STS_INTERNAL_ERR;

    }

    p = p_msg->p_vendor_data;

    BE_STREAM_TO_UINT8 (p_result->pdu, p);

    p++; /* skip the reserved/packe_type byte */

    BE_STREAM_TO_UINT16 (len, p);

    AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x",

                     __func__, p_msg->hdr.ctype, p_result->pdu, len, len);

    AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x vendor_len=0x%x",

                     __func__, p_msg->hdr.ctype, p_result->pdu, len, len,

                     p_msg->vendor_len);

    if (p_msg->vendor_len < len + 4) {

        android_errorWriteLog(0x534e4554, "111450531");

        AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",

                           __func__, p_msg->vendor_len, len + 4);

        return AVRC_STS_INTERNAL_ERR;

    }



    if (p_msg->hdr.ctype == AVRC_RSP_REJ)

    {

        if (len < 1) {

          android_errorWriteLog(0x534e4554, "111450531");

          AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least 1",

                             __func__, len);

          return AVRC_STS_INTERNAL_ERR;

        }

        p_result->rsp.status = *p;

        return p_result->rsp.status;

    }
@@ -86,11 +106,25 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p 


    case AVRC_PDU_REGISTER_NOTIFICATION:    /* 0x31 */

#if (AVRC_ADV_CTRL_INCLUDED == TRUE)

        if (len < 1) {

            android_errorWriteLog(0x534e4554, "111450531");

            AVRC_TRACE_WARNING(

              "%s: invalid parameter length %d: must be at least 1", __func__,

              len);

            return AVRC_STS_INTERNAL_ERR;

        }

        BE_STREAM_TO_UINT8 (eventid, p);

        if(AVRC_EVT_VOLUME_CHANGE==eventid

            && (AVRC_RSP_CHANGED==p_msg->hdr.ctype || AVRC_RSP_INTERIM==p_msg->hdr.ctype

            || AVRC_RSP_REJ==p_msg->hdr.ctype || AVRC_RSP_NOT_IMPL==p_msg->hdr.ctype))

        {

            if (len < 2) {

                android_errorWriteLog(0x534e4554, "111450531");

                AVRC_TRACE_WARNING(

                    "%s: invalid parameter length %d: must be at least 2", __func__,

                    len);

                return AVRC_STS_INTERNAL_ERR;

            }

            p_result->reg_notif.status=p_msg->hdr.ctype;

            p_result->reg_notif.event_id=eventid;

            BE_STREAM_TO_UINT8 (p_result->reg_notif.param.volume, p);