Fix OOB in a2dp_vendor_opus_decoder_decode_packet
a2dp_vendor_opus_decoder_decode_packet calls opus_decode() to decode frames. If initial decoding fails, it retries with a different set of parameters; however, no further checks are included after the retry, and the return value is then used to generate frame size. If the retry fails, the return value will be negative, which when converted to unsigned to scale the frame buffer will lead to an enormous size which easily overflows the frame buffer. Add a check for this case. Bug: 275626001 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7b6e560eda0e43dcac6ca8298fe01ee0762f508) Merged-In: Ie8ec891bf5e2537eeee9272f550ae23f8797a878 Change-Id: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
Please register or sign in to comment