Fix an OOB bug in bta_hh_co_get_rpt_rsp

This is a backport of I13be3103903631de4a0fa2080151bc89884c65c9

Bug: 259675705
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: Ifff9e18b4e52d84ce06a480585663f53d8c0f0e8

1 files changed, 6 insertions, 5 deletions

diff --git a/btif/co/bta_hh_co.cc b/btif/co/bta_hh_co.cc
index 5a7cad845..ca70e84a7 100644
--- a/btif/co/bta_hh_co.cc
+++ b/btif/co/bta_hh_co.cc
@@ -571,22 +571,23 @@ void bta_hh_co_get_rpt_rsp(uint8_t dev_handle, uint8_t status, uint8_t* p_rpt,
   }
 
   // Send the HID report to the kernel.
-  if (p_dev->fd >= 0 && p_dev->get_rpt_snt--) {
+  if (p_dev->fd >= 0 && p_dev->get_rpt_snt > 0 && p_dev->get_rpt_snt--) {
     uint32_t* get_rpt_id =
         (uint32_t*)fixed_queue_dequeue(p_dev->get_rpt_id_queue);
     memset(&ev, 0, sizeof(ev));
     ev.type = UHID_FEATURE_ANSWER;
     ev.u.feature_answer.id = *get_rpt_id;
     ev.u.feature_answer.err = status;
-    ev.u.feature_answer.size = len;
+    ev.u.feature_answer.size = len - GET_RPT_RSP_OFFSET;
     osi_free(get_rpt_id);
-    if (len > 0) {
-      if (len > UHID_DATA_MAX) {
+    if (len > GET_RPT_RSP_OFFSET) {
+      if (len - GET_RPT_RSP_OFFSET > UHID_DATA_MAX) {
         APPL_TRACE_WARNING("%s: Report size greater than allowed size",
                            __func__);
         return;
       }
-      memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, len);
+      memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET,
+             len - GET_RPT_RSP_OFFSET);
       uhid_write(p_dev->fd, &ev);
     }
   }