Fix an integer overflow bug in avdt_msg_asmbl am: bf9449a7 am: df75554b

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23152778 Change-Id: Ia79662831bfe5d8a40a7c9b63e9f2eaf15b19852 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Fix an integer overflow bug in avdt_msg_asmbl am: bf9449a7 am: df75554b
5e673575 · Hui Peng · Automerger Merge Worker · a120c15e · df75554b · 5e673575
Commit 5e673575 authored 1 year ago by Hui Peng Committed by Automerger Merge Worker 1 year ago
--- a/system/stack/avdt/avdt_msg.cc
+++ b/system/stack/avdt/avdt_msg.cc
@@ -1285,14 +1285,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
       * NOTE: The buffer is allocated above at the beginning of the
       * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
       */
-      uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
+      size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);

      /* adjust offset and len of fragment for header byte */
      p_buf->offset += AVDT_LEN_TYPE_CONT;
      p_buf->len -= AVDT_LEN_TYPE_CONT;

      /* verify length */
-      if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {
+      if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) {
        /* won't fit; free everything */
        AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);
        osi_free_and_reset((void**)&p_ccb->p_rx_msg);