Fix a potential OOB read resulted from integer underflow

This is an issue similar with I45320085b1e458d3b0e0d86162a35aaaae7b34cb The regression test is: I8bdaf3fef16a2d9d366a7fc9b0f2f0a35d3fb12d Test: atest net_test_stack_a2dp_codecs_native Bug: 259939578 Ignore-AOSP-First: security Merged-In: I4744169dcca79ab3564f4e9e34bdf428cf678ed7 Change-Id: I4744169dcca79ab3564f4e9e34bdf428cf678ed7

Fix a potential OOB read resulted from integer underflow
b6433f14 · Hui Peng · 15fbebc8 · b6433f14
Commit b6433f14 authored 2 years ago by Hui Peng
--- a/system/stack/a2dp/a2dp_vendor_ldac.cc
+++ b/system/stack/a2dp/a2dp_vendor_ldac.cc
@@ -518,6 +518,11 @@ bool A2DP_VendorBuildCodecHeaderLdac(UNUSED_ATTR const uint8_t* p_codec_info,
                                     uint16_t frames_per_packet) {
  uint8_t* p;

+  // there is a 4 byte timestamp right following p_buf
+  if (p_buf->offset < 4 + A2DP_LDAC_MPL_HDR_LEN) {
+    return false;
+  }
+
  p_buf->offset -= A2DP_LDAC_MPL_HDR_LEN;
  p = (uint8_t*)(p_buf + 1) + p_buf->offset;
  p_buf->len += A2DP_LDAC_MPL_HDR_LEN;