Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ccf2c47f authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Fix an OOB access bug in BtaAvCo::GetNextSourceDataPacket" into tm-dev am: bfdef9b8 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20692840



Change-Id: I9f986d31b07c8602d04818ab5d8836f879fd0b36
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents aa9c1908 bfdef9b8

system/btif/co/bta_av_co.cc

+9 −0
Original line number Diff line number Diff line
@@ -33,6 +33,7 @@ 
#include "btif/include/btif_av.h"

#include "include/hardware/bt_av.h"

#include "osi/include/osi.h"  // UNUSED_ATTR

#include "osi/include/allocator.h"

#include "stack/include/a2dp_codec_api.h"

#include "stack/include/a2dp_error_codes.h"

#include "stack/include/avdt_api.h"
@@ -1372,6 +1373,12 @@ BT_HDR* BtaAvCo::GetNextSourceDataPacket(const uint8_t* p_codec_info, 
  p_buf = btif_a2dp_source_audio_readbuf();

  if (p_buf == nullptr) return nullptr;



  if (p_buf->offset < 4) {

    osi_free(p_buf);

    APPL_TRACE_ERROR("No space for timestamp in packet, dropped");

    return nullptr;

  }



  /*

   * Retrieve the timestamp information from the media packet,

   * and set up the packet header.
@@ -1385,6 +1392,8 @@ BT_HDR* BtaAvCo::GetNextSourceDataPacket(const uint8_t* p_codec_info, 
      !A2DP_BuildCodecHeader(p_codec_info, p_buf, p_buf->layer_specific)) {

    APPL_TRACE_ERROR("%s: unsupported codec type (%d)", __func__,

                     A2DP_GetCodecType(p_codec_info));

    osi_free(p_buf);

    return nullptr;

  }



  if (ContentProtectEnabled() && (active_peer_ != nullptr) &&