Fix issues in A2dp, Avrcp, HF and AG reported by static analysis tool (bf8c5189) · Commits · e / os / android_packages_modules_Bluetooth

system/bta/ag/bta_ag_at.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -192,7 +192,11 @@ void bta_ag_at_parse(tBTA_AG_AT_CB p_cb, char p_buf, UINT16 len)

		if (p_cb->p_cmd_buf == NULL)
		{
		p_cb->p_cmd_buf = (char *) GKI_getbuf(p_cb->cmd_max_len);
		if ((p_cb->p_cmd_buf = (char *) GKI_getbuf(p_cb->cmd_max_len)) == NULL)
		{
		APPL_TRACE_ERROR("%s: GKI_getbuf() failed allocation", __func__);
		return;
		}
		p_cb->cmd_pos = 0;
		}

system/bta/ag/bta_ag_cmd.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -877,6 +877,12 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB *p_scb, UINT16 cmd, UINT8 arg_type,
		#if (BTM_WBS_INCLUDED == TRUE )
		tBTA_AG_PEER_CODEC codec_type, codec_sent;
		#endif
		if (p_arg == NULL)
		{
		APPL_TRACE_ERROR("%s: p_arg is null, send error and return", __func__);
		bta_ag_send_error(p_scb, BTA_AG_ERR_INV_CHAR_IN_TSTR);
		return;
		}

		APPL_TRACE_DEBUG("HFP AT cmd:%d arg_type:%d arg:%d arg:%s", cmd, arg_type,
		int_arg, p_arg);

system/bta/av/bta_av_aact.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -556,8 +556,15 @@ static void bta_av_proc_stream_evt(UINT8 handle, BD_ADDR bd_addr, UINT8 event, t
		/* coverity[var_deref_model] */
		/* false-positive: bta_av_conn_cback only processes AVDT_CONNECT_IND_EVT and AVDT_DISCONNECT_IND_EVT event
		* these 2 events always have associated p_data */
		if (p_data)
		{
		bta_av_conn_cback(handle, bd_addr, event, p_data);
		}
		else
		{
		APPL_TRACE_ERROR("%s: p_data is null", __func__);
		}
		}

		/*******************************************************************************
		**

system/bta/av/bta_av_act.c

+27 −8

Original line number	Diff line number	Diff line
		@@ -96,11 +96,16 @@ void bta_av_del_rc(tBTA_AV_RCB *p_rcb)
		tBTA_AV_SCB *p_scb;
		UINT8 rc_handle; /* connected AVRCP handle */

		p_scb = NULL;
		if(p_rcb->handle != BTA_AV_RC_HANDLE_NONE)
		{
		if(p_rcb->shdl)
		{
		/* Validate array index*/
		if ((p_rcb->shdl - 1) < BTA_AV_NUM_STRS)
		{
		p_scb = bta_av_cb.p_scb[p_rcb->shdl - 1];
		}
		if(p_scb)
		{
		APPL_TRACE_DEBUG("bta_av_del_rc shdl:%d, srch:%d rc_handle:%d", p_rcb->shdl,
		@@ -1160,7 +1165,7 @@ void bta_av_stream_chg(tBTA_AV_SCB *p_scb, BOOLEAN started)
		void bta_av_conn_chg(tBTA_AV_DATA *p_data)
		{
		tBTA_AV_CB *p_cb = &bta_av_cb;
		tBTA_AV_SCB *p_scb;
		tBTA_AV_SCB *p_scb = NULL;
		tBTA_AV_SCB *p_scbi;
		UINT8 mask;
		UINT8 conn_msk;
		@@ -1172,8 +1177,11 @@ void bta_av_conn_chg(tBTA_AV_DATA *p_data)
		tBTA_AV_RCB p_rcb, p_rcb2;
		BOOLEAN chk_restore = FALSE;

		/* Validate array index*/
		if (index < BTA_AV_NUM_STRS)
		{
		p_scb = p_cb->p_scb[index];

		}
		mask = BTA_AV_HNDL_TO_MSK(index);
		p_lcb = bta_av_find_lcb(p_data->conn_chg.peer_addr, BTA_AV_LCB_FIND);
		conn_msk = 1 << (index + 1);
		@@ -1558,9 +1566,12 @@ static void bta_av_acp_sig_timer_cback (TIMER_LIST_ENT *p_tle)
		{
		UINT8 inx = (UINT8)p_tle->param;
		tBTA_AV_CB *p_cb = &bta_av_cb;
		tBTA_AV_SCB *p_scb = p_cb->p_scb[inx];
		tBTA_AV_SCB *p_scb = NULL;
		tBTA_AV_API_OPEN *p_buf;

		if (inx < BTA_AV_NUM_STRS)
		{
		p_scb = p_cb->p_scb[inx];
		}
		if (p_scb)
		{
		APPL_TRACE_DEBUG("bta_av_acp_sig_timer_cback, coll_mask = 0x%02X", p_scb->coll_mask);
		@@ -1709,8 +1720,12 @@ void bta_av_rc_disc_done(tBTA_AV_DATA *p_data)
		rc_handle = p_cb->disc & (~BTA_AV_CHNL_MSK);
		}
		else
		{
		/* Validate array index*/
		if (((p_cb->disc & BTA_AV_HNDL_MSK) - 1) < BTA_AV_NUM_STRS)
		{
		p_scb = p_cb->p_scb[(p_cb->disc & BTA_AV_HNDL_MSK) - 1];
		}
		if (p_scb)
		rc_handle = p_scb->rc_handle;
		else
		@@ -1798,6 +1813,7 @@ void bta_av_rc_closed(tBTA_AV_DATA *p_data)
		tBTA_AV_LCB *p_lcb;

		rc_close.rc_handle = BTA_AV_RC_HANDLE_NONE;
		p_scb = NULL;
		APPL_TRACE_DEBUG("bta_av_rc_closed rc_handle:%d", p_msg->handle);
		for(i=0; i<BTA_AV_NUM_RCB; i++)
		{
		@@ -1810,8 +1826,11 @@ void bta_av_rc_closed(tBTA_AV_DATA *p_data)
		p_rcb->peer_features = 0;
		APPL_TRACE_DEBUG(" shdl:%d, lidx:%d", p_rcb->shdl, p_rcb->lidx);
		if(p_rcb->shdl)
		{
		if ((p_rcb->shdl - 1) < BTA_AV_NUM_STRS)
		{
		p_scb = bta_av_cb.p_scb[p_rcb->shdl - 1];
		}
		if(p_scb)
		{
		bdcpy(rc_close.peer_addr, p_scb->peer_addr);

system/bta/av/bta_av_main.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -935,7 +935,7 @@ void bta_av_restore_switch (void)
		static void bta_av_sys_rs_cback (tBTA_SYS_CONN_STATUS status,UINT8 id, UINT8 app_id, BD_ADDR peer_addr)
		{
		int i;
		tBTA_AV_SCB *p_scb;
		tBTA_AV_SCB *p_scb = NULL;
		tBTA_AV_ROLE_RES *p_buf;
		UINT8 cur_role;
		UINT8 peer_idx = 0;
		@@ -978,8 +978,11 @@ static void bta_av_sys_rs_cback (tBTA_SYS_CONN_STATUS status,UINT8 id, UINT8 app
		/* if BTA_AvOpen() was called for other device, which caused the role switch of the peer_addr, */
		/* we need to continue opening process for the BTA_AvOpen(). */
		if ((bta_av_cb.rs_idx != 0) && (bta_av_cb.rs_idx != peer_idx))
		{
		if ((bta_av_cb.rs_idx -1) < BTA_AV_NUM_STRS)
		{
		p_scb = bta_av_cb.p_scb[bta_av_cb.rs_idx - 1];
		}
		if (p_scb && p_scb->q_tag == BTA_AV_Q_TAG_OPEN)
		{
		APPL_TRACE_DEBUG ("bta_av_sys_rs_cback: rs_idx(%d), hndl:x%x q_tag: %d",