diff options
author | Android Build Merger (Role) <noreply-android-build-merger@google.com> | 2018-06-05 03:48:29 +0000 |
---|---|---|
committer | Android Build Merger (Role) <noreply-android-build-merger@google.com> | 2018-06-05 03:48:29 +0000 |
commit | 25fc5872de378ba3e6957540968920a3d3020ca6 (patch) | |
tree | ceb20b36050280f2fd14dd7d1f95b86c38429a48 | |
parent | 8e9b52590988f6741f25164fb86789c4fbfcdd35 (diff) | |
parent | 8dca5d69812ce60cc5fbeaec0f8f64593e4c1f8f (diff) | |
download | bt-25fc5872de378ba3e6957540968920a3d3020ca6.tar.gz |
[automerger] Add checks whether the AVDTP element data length is valid am: e192c988cb am: 6b2f63f880 am: ac8793939a am: 862eb4827b am: e7c8891319 am: c25b7e056e am: 515cf6983e am: 8dca5d6981
Change-Id: I10eba2bac9686a5f50b736d1bc38caa0cd56265a
-rw-r--r-- | stack/avdt/avdt_msg.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c index adc1ae731..9697a590b 100644 --- a/stack/avdt/avdt_msg.c +++ b/stack/avdt/avdt_msg.c @@ -26,6 +26,7 @@ * ******************************************************************************/ +#include <log/log.h> #include <string.h> #include "bt_types.h" #include "bt_target.h" @@ -673,6 +674,11 @@ static UINT8 avdt_msg_prs_cfg(tAVDT_CFG *p_cfg, UINT8 *p, UINT16 len, UINT8* p_e case AVDT_CAT_PROTECT: p_cfg->psc_mask &= ~AVDT_PSC_PROTECT; + if (p + elem_len > p_end) { + err = AVDT_ERR_LENGTH; + android_errorWriteLog(0x534e4554, "78288378"); + break; + } if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE) { p_cfg->num_protect++; @@ -747,6 +753,11 @@ static UINT8 avdt_msg_prs_cfg(tAVDT_CFG *p_cfg, UINT8 *p, UINT16 len, UINT8* p_e { tmp = AVDT_CODEC_SIZE - 1; } + if (p + tmp > p_end) { + err = AVDT_ERR_LENGTH; + android_errorWriteLog(0x534e4554, "78288378"); + break; + } p_cfg->num_codec++; p_cfg->codec_info[0] = elem_len; memcpy(&p_cfg->codec_info[1], p, tmp); |