AVRCP: Check number of text attribute values in response

Test: Build Bug: 71603410 Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2 (cherry picked from commit 4cd518cb3f8ac6ccb43c94a441bee67e041d0dd5)
author: Ajay Panicker <apanicke@google.com> 2018-02-02 01:11:37 -0800
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-02-14 17:18:04 +0000
commit: e4ec79be45304f819c88c8dbf826d58b68f6c8f8 (patch)
tree: 0a9b2cb6ae5da5a626d273eb5e7d957df1a4b468
parent: 6f3ddf3f5cf2b3eb52fb0adabd814a45cff07221 (diff)
download: bt-e4ec79be45304f819c88c8dbf826d58b68f6c8f8.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 82c3cd755..334362449 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -494,6 +494,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
           p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING));
       AVRC_TRACE_DEBUG("%s attr count = %d ", __func__,
                        p_result->get_cur_app_val.num_val);
+
+      if (p_result->get_cur_app_val.num_val > AVRC_MAX_APP_ATTR_SIZE) {
+        android_errorWriteLog(0x534e4554, "63146237");
+        p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE;
+      }
+
       for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) {
         BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p);
         BE_STREAM_TO_UINT8(app_sett[xx].attr_val, p);
author	Ajay Panicker <apanicke@google.com>	2018-02-02 01:11:37 -0800
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-02-14 17:18:04 +0000
commit	e4ec79be45304f819c88c8dbf826d58b68f6c8f8 (patch)
tree	0a9b2cb6ae5da5a626d273eb5e7d957df1a4b468
parent	6f3ddf3f5cf2b3eb52fb0adabd814a45cff07221 (diff)
download	bt-e4ec79be45304f819c88c8dbf826d58b68f6c8f8.tar.gz