From b6433f14f61e4066fe4f3ab0b71c44dd427ce1d0 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Fri, 2 Dec 2022 08:29:50 +0000
Subject: [PATCH] Fix a potential OOB read resulted from integer underflow

This is an issue similar with I45320085b1e458d3b0e0d86162a35aaaae7b34cb

The regression test is: I8bdaf3fef16a2d9d366a7fc9b0f2f0a35d3fb12d

Test: atest net_test_stack_a2dp_codecs_native
Bug: 259939578
Ignore-AOSP-First: security
Merged-In: I4744169dcca79ab3564f4e9e34bdf428cf678ed7
Change-Id: I4744169dcca79ab3564f4e9e34bdf428cf678ed7
---
 system/stack/a2dp/a2dp_vendor_ldac.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/system/stack/a2dp/a2dp_vendor_ldac.cc b/system/stack/a2dp/a2dp_vendor_ldac.cc
index b6aaee59f27..e8430ffe1aa 100644
--- a/system/stack/a2dp/a2dp_vendor_ldac.cc
+++ b/system/stack/a2dp/a2dp_vendor_ldac.cc
@@ -518,6 +518,11 @@ bool A2DP_VendorBuildCodecHeaderLdac(UNUSED_ATTR const uint8_t* p_codec_info,
                                      uint16_t frames_per_packet) {
   uint8_t* p;
 
+  // there is a 4 byte timestamp right following p_buf
+  if (p_buf->offset < 4 + A2DP_LDAC_MPL_HDR_LEN) {
+    return false;
+  }
+
   p_buf->offset -= A2DP_LDAC_MPL_HDR_LEN;
   p = (uint8_t*)(p_buf + 1) + p_buf->offset;
   p_buf->len += A2DP_LDAC_MPL_HDR_LEN;
-- 
GitLab