Skip to content
Snippets Groups Projects
Commit b0d7d4e8 authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc 

In  A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
`-=` operation on it may result in integer underflow and
OOB write with the computed pointer passed to
A2DP_BuildMediaPayloadHeaderSbc.

The regression test is I2e026025ce49a02280dfcacd08f4bfc1b5d12264

Bug: 186803518
Test: atest net_test_stack_a2dp_codecs_native
Ignore-AOSP-First: security
Merged-In: I45320085b1e458d3b0e0d86162a35aaaae7b34cb
Change-Id: I45320085b1e458d3b0e0d86162a35aaaae7b34cb
parent 0494f1ab
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment