Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb53b8cb authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc 

In  A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
`-=` operation on it may result in integer underflow and
OOB write with the computed pointer passed to
A2DP_BuildMediaPayloadHeaderSbc.

The regression test is I2e026025ce49a02280dfcacd08f4bfc1b5d12264

Bug: 186803518
Test: atest net_test_stack_a2dp_codecs_native
Ignore-AOSP-First: security
Change-Id: I45320085b1e458d3b0e0d86162a35aaaae7b34cb
parent 780b0804

system/stack/a2dp/a2dp_sbc.cc

+4 −0
Original line number Diff line number Diff line
@@ -696,6 +696,10 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info, 
    return false;

  }



  if (p_buf->offset < A2DP_SBC_MPL_HDR_LEN) {

    return false;

  }



  p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;

  uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;

  p_buf->len += A2DP_SBC_MPL_HDR_LEN;