Fix OOB in a2dp_vendor_opus_decoder_decode_packet

a2dp_vendor_opus_decoder_decode_packet calls opus_decode() to decode frames. If initial decoding fails, it retries with a different set of parameters; however, no further checks are included after the retry, and the return value is then used to generate frame size. If the retry fails, the return value will be negative, which when converted to unsigned to scale the frame buffer will lead to an enormous size which easily overflows the frame buffer. Add a check for this case. Bug: 275626001 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7b6e560eda0e43dcac6ca8298fe01ee0762f508) Merged-In: Ie8ec891bf5e2537eeee9272f550ae23f8797a878 Change-Id: Ie8ec891bf5e2537eeee9272f550ae23f8797a878

Fix OOB in a2dp_vendor_opus_decoder_decode_packet
6cdf985a · Brian Delwiche · Android Build Coastguard Worker · 9e027677 · 6cdf985a
Commit 6cdf985a authored 1 year ago by Brian Delwiche Committed by Android Build Coastguard Worker 1 year ago
--- a/system/stack/a2dp/a2dp_vendor_opus_decoder.cc
+++ b/system/stack/a2dp/a2dp_vendor_opus_decoder.cc
@@ -138,6 +138,12 @@ bool a2dp_vendor_opus_decoder_decode_packet(BT_HDR* p_buf) {
                              A2DP_OPUS_DECODE_BUFFER_LENGTH, 0 /* flags */);
      }

+      if (ret_val < OPUS_OK) {
+        LOG_ERROR("Opus DecodeFrame retry failed with %d, dropping packet",
+                  ret_val);
+        return false;
+      }
+
      size_t frame_len =
          ret_val * numChannels * sizeof(a2dp_opus_decoder_cb.decode_buf[0]);
      a2dp_opus_decoder_cb.decode_callback(