From 29874930e224fe108781e0d23e457d0b333d11e8 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 16 May 2023 02:30:39 +0000
Subject: [PATCH] Fix an OOB Write bug in avrc_vendor_msg

Plus some cleanup

Bug: 271962784
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b636f1bcd097b612de7696594d05cb9ea84939fa)
Merged-In: Ice5ad780ac0b177c73d84ed37960b4540df1ec86
Change-Id: Ice5ad780ac0b177c73d84ed37960b4540df1ec86
---
 system/stack/avrc/avrc_opt.cc | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/system/stack/avrc/avrc_opt.cc b/system/stack/avrc/avrc_opt.cc
index a611e3f5a72..87c685c2c49 100644
--- a/system/stack/avrc/avrc_opt.cc
+++ b/system/stack/avrc/avrc_opt.cc
@@ -49,9 +49,20 @@ static BT_HDR* avrc_vendor_msg(tAVRC_MSG_VENDOR* p_msg) {
   BT_HDR* p_cmd;
   uint8_t* p_data;
 
-  CHECK(p_msg != NULL);
+  /*
+    An AVRC cmd consists of at least of:
+    - A BT_HDR, plus
+    - AVCT_MSG_OFFSET, plus
+    - 3 bytes for ctype, subunit_type and op_vendor, plus
+    - 3 bytes for company_id
+  */
+  #define AVRC_MIN_VENDOR_CMD_LEN (sizeof(BT_HDR) + AVCT_MSG_OFFSET + 3 + 3)
+
+  if (p_msg == nullptr ||
+      AVRC_META_CMD_BUF_SIZE < AVRC_MIN_VENDOR_CMD_LEN + p_msg->vendor_len) {
+    return nullptr;
+  }
 
-  CHECK(AVRC_META_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->vendor_len));
   p_cmd = (BT_HDR*)osi_calloc(AVRC_META_CMD_BUF_SIZE);
 
   p_cmd->offset = AVCT_MSG_OFFSET;
-- 
GitLab