Commit b7ea57f6 authored Mar 01, 2023 by Brian Delwiche Committed by Android Build Coastguard Worker Jul 14, 2023

Fix potential abort in btu_av_act.cc

Partner analysis shows that bta_av_rc_msg does not respect handling
established for a null browse packet, instead dispatching the null
pointer to bta_av_rc_free_browse_msg.  Strictly speaking this does
not cause a UAF, as osi_free_and_reset will find the null and abort,
but it will lead to improper program termination.

Handle the case instead.

Bug: 269253349
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d3ee136851de30261e56c62fbb488541dc564b94)
Merged-In: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d
Change-Id: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d

parent 8770c07c

system/bta/av/bta_av_act.cc

+4 −1

Original line number	Diff line number	Diff line
		@@ -1002,9 +1002,12 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) {
		av.remote_cmd.rc_handle = p_data->rc_msg.handle;
		(*p_cb->p_cback)(evt, &av);
		/* If browsing message, then free the browse message buffer */
		if (p_data->rc_msg.opcode == AVRC_OP_BROWSE &&
		p_data->rc_msg.msg.browse.p_browse_pkt != NULL) {
		bta_av_rc_free_browse_msg(p_cb, p_data);
		}
		}
		}

		/*******************************************************************************
		*