From 6cdf985a664476659b84d8c74698cb3dfa28f82b Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 18 May 2023 22:05:00 +0000
Subject: [PATCH] Fix OOB in a2dp_vendor_opus_decoder_decode_packet

a2dp_vendor_opus_decoder_decode_packet calls opus_decode() to decode
frames.  If initial decoding fails, it retries with a different set of
parameters; however, no further checks are included after the retry, and
the return value is then used to generate frame size.  If the retry
fails, the return value will be negative, which when converted to
unsigned to scale the frame buffer will lead to an enormous size which
easily overflows the frame buffer.

Add a check for this case.

Bug: 275626001
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7b6e560eda0e43dcac6ca8298fe01ee0762f508)
Merged-In: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
Change-Id: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
---
 system/stack/a2dp/a2dp_vendor_opus_decoder.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/system/stack/a2dp/a2dp_vendor_opus_decoder.cc b/system/stack/a2dp/a2dp_vendor_opus_decoder.cc
index fec3520e72f..d36112bf0f1 100644
--- a/system/stack/a2dp/a2dp_vendor_opus_decoder.cc
+++ b/system/stack/a2dp/a2dp_vendor_opus_decoder.cc
@@ -138,6 +138,12 @@ bool a2dp_vendor_opus_decoder_decode_packet(BT_HDR* p_buf) {
                               A2DP_OPUS_DECODE_BUFFER_LENGTH, 0 /* flags */);
       }
 
+      if (ret_val < OPUS_OK) {
+        LOG_ERROR("Opus DecodeFrame retry failed with %d, dropping packet",
+                  ret_val);
+        return false;
+      }
+
       size_t frame_len =
           ret_val * numChannels * sizeof(a2dp_opus_decoder_cb.decode_buf[0]);
       a2dp_opus_decoder_cb.decode_callback(
-- 
GitLab