Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d4eecc0d authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Check packet size in avrc_pars_browse_rsp" into rvc-dev am: f98ebce5 

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/13563503

Change-Id: Ie0c31c14363a6fee854770372b0a3c5cd4262cfb
parents c6b7a3e4 f98ebce5

system/stack/avrc/avrc_pars_ct.cc

+7 −0
Original line number Diff line number Diff line
@@ -428,12 +428,19 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, 
    case AVRC_PDU_GET_ITEM_ATTRIBUTES: {

      tAVRC_GET_ATTRS_RSP* get_attr_rsp = &(p_rsp->get_attrs);

      get_attr_rsp->pdu = pdu;

      min_len += 2;

      if (pkt_len < min_len) {

        android_errorWriteLog(0x534e4554, "179162665");

        goto browse_length_error;

      }

      BE_STREAM_TO_UINT8(get_attr_rsp->status, p)

      BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p);

      get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc(

          get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY));

      for (int i = 0; i < get_attr_rsp->num_attrs; i++) {

        tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]);

        min_len += 8;

        if (pkt_len < min_len) goto browse_length_error;

        BE_STREAM_TO_UINT32(attr_entry->attr_id, p);

        BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);

        BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);