Merge "Fix an OOB Write bug in avrc_vendor_msg" into tm-dev am: 14621c25 am: a6d464ec

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23253860 Change-Id: Ida785f515709ffb568afe179f94d5c02e76db67d Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Merge "Fix an OOB Write bug in avrc_vendor_msg" into tm-dev am: 14621c25 am: a6d464ec
fa9e6720 · Hui Peng · Automerger Merge Worker · e4a78b9f · a6d464ec · fa9e6720
Commit fa9e6720 authored 1 year ago by Hui Peng Committed by Automerger Merge Worker 1 year ago
--- a/system/stack/avrc/avrc_opt.cc
+++ b/system/stack/avrc/avrc_opt.cc
@@ -49,9 +49,20 @@ static BT_HDR* avrc_vendor_msg(tAVRC_MSG_VENDOR* p_msg) {
  BT_HDR* p_cmd;
  uint8_t* p_data;

-  CHECK(p_msg != NULL);
+  /*
+    An AVRC cmd consists of at least of:
+    - A BT_HDR, plus
+    - AVCT_MSG_OFFSET, plus
+    - 3 bytes for ctype, subunit_type and op_vendor, plus
+    - 3 bytes for company_id
+  */
+  #define AVRC_MIN_VENDOR_CMD_LEN (sizeof(BT_HDR) + AVCT_MSG_OFFSET + 3 + 3)
+
+  if (p_msg == nullptr ||
+      AVRC_META_CMD_BUF_SIZE < AVRC_MIN_VENDOR_CMD_LEN + p_msg->vendor_len) {
+    return nullptr;
+  }

-  CHECK(AVRC_META_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->vendor_len));
  p_cmd = (BT_HDR*)osi_calloc(AVRC_META_CMD_BUF_SIZE);

  p_cmd->offset = AVCT_MSG_OFFSET;