Merge "Harden array bounds validation" into tm-dev

     * for standard attributes.

     * for standard attributes.

     */

     */

    p_app_settings->num_ext_attrs = 0;

    p_app_settings->num_ext_attrs = 0;

    for (xx = 0; xx < p_app_settings->ext_attr_index; xx++) {

    for (xx = 0;

         xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE;

         xx++) {

      osi_free_and_reset((void**)&p_app_settings->ext_attrs[xx].p_str);

      osi_free_and_reset((void**)&p_app_settings->ext_attrs[xx].p_str);

    }

    }

    p_app_settings->ext_attr_index = 0;

    p_app_settings->ext_attr_index = 0;

    if (p_dev) {

    for (xx = 0; xx < p_app_settings->num_attrs && xx < AVRC_MAX_APP_ATTR_SIZE;

      for (xx = 0; xx < p_app_settings->num_attrs; xx++) {

         xx++) {

      attrs[xx] = p_app_settings->attrs[xx].attr_id;

      attrs[xx] = p_app_settings->attrs[xx].attr_id;

    }

    }

    do_in_jni_thread(

    do_in_jni_thread(

          FROM_HERE,

        FROM_HERE, base::Bind(bt_rc_ctrl_callbacks->playerapplicationsetting_cb,

          base::Bind(bt_rc_ctrl_callbacks->playerapplicationsetting_cb,

                              p_dev->rc_addr, p_app_settings->num_attrs,

                              p_dev->rc_addr, p_app_settings->num_attrs,

                              p_app_settings->attrs, 0, nullptr));

                              p_app_settings->attrs, 0, nullptr));

    get_player_app_setting_cmd(xx, attrs, p_dev);

    get_player_app_setting_cmd(xx, attrs, p_dev);

    }

    return;

    return;

  }

  }

  for (xx = 0; xx < p_rsp->num_attr; xx++) {

  for (xx = 0; xx < p_rsp->num_attr; xx++) {

    uint8_t x;

    uint8_t x;

    for (x = 0; x < p_app_settings->num_ext_attrs; x++) {

    for (x = 0; x < p_app_settings->num_ext_attrs && x < AVRC_MAX_APP_ATTR_SIZE;

         x++) {

      if (p_app_settings->ext_attrs[x].attr_id == p_rsp->p_attrs[xx].attr_id) {

      if (p_app_settings->ext_attrs[x].attr_id == p_rsp->p_attrs[xx].attr_id) {

        p_app_settings->ext_attrs[x].charset_id = p_rsp->p_attrs[xx].charset_id;

        p_app_settings->ext_attrs[x].charset_id = p_rsp->p_attrs[xx].charset_id;

        p_app_settings->ext_attrs[x].str_len = p_rsp->p_attrs[xx].str_len;

        p_app_settings->ext_attrs[x].str_len = p_rsp->p_attrs[xx].str_len;

    }

    }

  }

  }

  for (xx = 0; xx < p_app_settings->ext_attrs[0].num_val; xx++) {

  for (xx = 0;

       xx < p_app_settings->ext_attrs[0].num_val && xx < BTRC_MAX_APP_ATTR_SIZE;

       xx++) {

    vals[xx] = p_app_settings->ext_attrs[0].ext_attr_val[xx].val;

    vals[xx] = p_app_settings->ext_attrs[0].ext_attr_val[xx].val;

  }

  }

  get_player_app_setting_value_text_cmd(vals, xx, p_dev);

  get_player_app_setting_value_text_cmd(vals, xx, p_dev);

     * for standard attributes.

     * for standard attributes.

     */

     */

    p_app_settings->num_ext_attrs = 0;

    p_app_settings->num_ext_attrs = 0;

    for (xx = 0; xx < p_app_settings->ext_attr_index; xx++) {

    for (xx = 0;

         xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE;

         xx++) {

      int x;

      int x;

      btrc_player_app_ext_attr_t* p_ext_attr = &p_app_settings->ext_attrs[xx];

      btrc_player_app_ext_attr_t* p_ext_attr = &p_app_settings->ext_attrs[xx];

      for (x = 0; x < p_ext_attr->num_val; x++)

      for (x = 0; x < p_ext_attr->num_val && x < BTRC_MAX_APP_ATTR_SIZE; x++)

        osi_free_and_reset((void**)&p_ext_attr->ext_attr_val[x].p_str);

        osi_free_and_reset((void**)&p_ext_attr->ext_attr_val[x].p_str);

      p_ext_attr->num_val = 0;

      p_ext_attr->num_val = 0;

      osi_free_and_reset((void**)&p_app_settings->ext_attrs[xx].p_str);

      osi_free_and_reset((void**)&p_app_settings->ext_attrs[xx].p_str);

    return;

    return;

  }

  }

  if (p_app_settings->ext_val_index >= AVRC_MAX_APP_ATTR_SIZE) {

    BTIF_TRACE_ERROR("ext_val_index is 0x%02x, overflow!",

                     p_app_settings->ext_val_index);

    return;

  }

  for (xx = 0; xx < p_rsp->num_attr; xx++) {

  for (xx = 0; xx < p_rsp->num_attr; xx++) {

    uint8_t x;

    uint8_t x;

    btrc_player_app_ext_attr_t* p_ext_attr;

    btrc_player_app_ext_attr_t* p_ext_attr;

    p_ext_attr = &p_app_settings->ext_attrs[p_app_settings->ext_val_index];

    p_ext_attr = &p_app_settings->ext_attrs[p_app_settings->ext_val_index];

    for (x = 0; x < p_rsp->num_attr; x++) {

    for (x = 0; x < p_rsp->num_attr && x < BTRC_MAX_APP_ATTR_SIZE; x++) {

      if (p_ext_attr->ext_attr_val[x].val == p_rsp->p_attrs[xx].attr_id) {

      if (p_ext_attr->ext_attr_val[x].val == p_rsp->p_attrs[xx].attr_id) {

        p_ext_attr->ext_attr_val[x].charset_id = p_rsp->p_attrs[xx].charset_id;

        p_ext_attr->ext_attr_val[x].charset_id = p_rsp->p_attrs[xx].charset_id;

        p_ext_attr->ext_attr_val[x].str_len = p_rsp->p_attrs[xx].str_len;

        p_ext_attr->ext_attr_val[x].str_len = p_rsp->p_attrs[xx].str_len;

 **************************************************************************/

 **************************************************************************/

static void cleanup_app_attr_val_txt_response(

static void cleanup_app_attr_val_txt_response(

    btif_rc_player_app_settings_t* p_app_settings) {

    btif_rc_player_app_settings_t* p_app_settings) {

  for (uint8_t xx = 0; xx < p_app_settings->ext_attr_index; xx++) {

  for (uint8_t xx = 0;

       xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE;

       xx++) {

    int x;

    int x;

    btrc_player_app_ext_attr_t* p_ext_attr = &p_app_settings->ext_attrs[xx];

    btrc_player_app_ext_attr_t* p_ext_attr = &p_app_settings->ext_attrs[xx];

    for (x = 0; x < p_ext_attr->num_val; x++) {

    for (x = 0; x < p_ext_attr->num_val && x < BTRC_MAX_APP_ATTR_SIZE; x++) {

      osi_free_and_reset((void**)&p_ext_attr->ext_attr_val[x].p_str);

      osi_free_and_reset((void**)&p_ext_attr->ext_attr_val[x].p_str);

    }

    }

    p_ext_attr->num_val = 0;

    p_ext_attr->num_val = 0;