diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-07-06 20:00:15 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-07-06 20:00:15 +0000 |
| commit | 9d6acc767e232f66770a517831928933912b1df7 (patch) | |
| tree | 88d9593011c7bdf7bb7858487f2f64a402e8f2b4 | |
| parent | 8698244cacf0a6b3c35a9f676d0e5ca4ffe56461 (diff) | |
| parent | 20d1d38bdd14dc9cb9d94edbf345291a94ef4163 (diff) | |
| download | bt-9d6acc767e232f66770a517831928933912b1df7.tar.gz | |
Merge cherrypicks of [17777137, 18119099, 18030836] into rvc-platform-release. am: 20d1d38bdd
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/18465289
Change-Id: I3318be53a4baa420b76f672d2acd5c398a3290b7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| -rw-r--r-- | bta/hf_client/bta_hf_client_at.cc | 10 | ||||
| -rw-r--r-- | stack/avrc/avrc_pars_tg.cc | 6 |
2 files changed, 13 insertions, 3 deletions
diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc index 6e4fe2696..725d6ed16 100644 --- a/bta/hf_client/bta_hf_client_at.cc +++ b/bta/hf_client/bta_hf_client_at.cc @@ -332,6 +332,10 @@ static void bta_hf_client_handle_cind_list_item(tBTA_HF_CLIENT_CB* client_cb, APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max); + if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) { + return; + } + /* look for a matching indicator on list of supported ones */ for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) { if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) { @@ -793,9 +797,9 @@ void bta_hf_client_binp(tBTA_HF_CLIENT_CB* client_cb, char* number) { } while (0) /* skip rest of AT string up to <cr> */ -#define AT_SKIP_REST(buf) \ - do { \ - while (*(buf) != '\r') (buf)++; \ +#define AT_SKIP_REST(buf) \ + do { \ + while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \ } while (0) static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb, diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc index 190a88d75..5bae32e52 100644 --- a/stack/avrc/avrc_pars_tg.cc +++ b/stack/avrc/avrc_pars_tg.cc @@ -43,6 +43,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg, tAVRC_COMMAND* p_result) { tAVRC_STS status = AVRC_STS_NO_ERROR; + if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16 + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4", + __func__, p_msg->vendor_len); + android_errorWriteLog(0x534e4554, "205571133"); + return AVRC_STS_INTERNAL_ERR; + } uint8_t* p = p_msg->p_vendor_data; p_result->pdu = *p++; AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu); |