Skip to content
Snippets Groups Projects
Commit 6cdf985a authored by Brian Delwiche's avatar Brian Delwiche Committed by Android Build Coastguard Worker
Browse files

Fix OOB in a2dp_vendor_opus_decoder_decode_packet

a2dp_vendor_opus_decoder_decode_packet calls opus_decode() to decode
frames.  If initial decoding fails, it retries with a different set of
parameters; however, no further checks are included after the retry, and
the return value is then used to generate frame size.  If the retry
fails, the return value will be negative, which when converted to
unsigned to scale the frame buffer will lead to an enormous size which
easily overflows the frame buffer.

Add a check for this case.

Bug: 275626001
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7b6e560eda0e43dcac6ca8298fe01ee0762f508)
Merged-In: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
Change-Id: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
parent 9e027677
No related branches found
No related tags found
No related merge requests found
......@@ -138,6 +138,12 @@ bool a2dp_vendor_opus_decoder_decode_packet(BT_HDR* p_buf) {
A2DP_OPUS_DECODE_BUFFER_LENGTH, 0 /* flags */);
}
if (ret_val < OPUS_OK) {
LOG_ERROR("Opus DecodeFrame retry failed with %d, dropping packet",
ret_val);
return false;
}
size_t frame_len =
ret_val * numChannels * sizeof(a2dp_opus_decoder_cb.decode_buf[0]);
a2dp_opus_decoder_cb.decode_callback(
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment