Skip to content
Snippets Groups Projects
user avatar
Brian Delwiche authored
a2dp_vendor_opus_decoder_decode_packet calls opus_decode() to decode
frames.  If initial decoding fails, it retries with a different set of
parameters; however, no further checks are included after the retry, and
the return value is then used to generate frame size.  If the retry
fails, the return value will be negative, which when converted to
unsigned to scale the frame buffer will lead to an enormous size which
easily overflows the frame buffer.

Add a check for this case.

Bug: 275626001
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7b6e560eda0e43dcac6ca8298fe01ee0762f508)
Merged-In: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
Change-Id: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
6cdf985a
History
Name Last commit Last update