Merge "Fix an OOB Write bug in avrc_vendor_msg" into tm-dev

system/stack/avrc/avrc_opt.cc

@@ -49,9 +49,20 @@ static BT_HDR* avrc_vendor_msg(tAVRC_MSG_VENDOR* p_msg) {
   BT_HDR* p_cmd;
   uint8_t* p_data;
 
-  CHECK(p_msg != NULL);
+  /*
+    An AVRC cmd consists of at least of:
+    - A BT_HDR, plus
+    - AVCT_MSG_OFFSET, plus
+    - 3 bytes for ctype, subunit_type and op_vendor, plus
+    - 3 bytes for company_id
+  */
+  #define AVRC_MIN_VENDOR_CMD_LEN (sizeof(BT_HDR) + AVCT_MSG_OFFSET + 3 + 3)
+
+  if (p_msg == nullptr ||
+      AVRC_META_CMD_BUF_SIZE < AVRC_MIN_VENDOR_CMD_LEN + p_msg->vendor_len) {
+    return nullptr;
+  }
 
-  CHECK(AVRC_META_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->vendor_len));
   p_cmd = (BT_HDR*)osi_calloc(AVRC_META_CMD_BUF_SIZE);
 
   p_cmd->offset = AVCT_MSG_OFFSET;