DO NOT MERGE: AVRCP: Check the number of text attributes requested

[android-x86/system-bt.git] / stack / avrc / avrc_pars_tg.c

diff --git a/stack/avrc/avrc_pars_tg.c b/stack/avrc/avrc_pars_tg.c
index d3d5262..e582060 100644 (file)
--- a/stack/avrc/avrc_pars_tg.c
+++ b/stack/avrc/avrc_pars_tg.c
@@ -21,6 +21,7 @@
 #include "avrc_api.h"
 #include "avrc_defs.h"
 #include "avrc_int.h"
+#include "log/log.h"
 
 /*****************************************************************************
 **  Global data
@@ -42,7 +43,7 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
                                       UINT8 *p_buf, UINT16 buf_len)
 {
     tAVRC_STS  status = AVRC_STS_NO_ERROR;
-    UINT8   *p = p_msg->p_vendor_data;
+    UINT8   *p;
     UINT16  len;
     UINT8   xx, yy;
     UINT8   *p_u8;
@@ -51,11 +52,18 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
     tAVRC_APP_SETTING       *p_app_set;
     UINT16  size_needed;
 
+    /* Check the vendor data */
+    if (p_msg->vendor_len == 0)
+        return AVRC_STS_NO_ERROR;
+    if (p_msg->p_vendor_data == NULL)
+        return AVRC_STS_INTERNAL_ERR;
+
+    p = p_msg->p_vendor_data;
     p_result->pdu = *p++;
-    AVRC_TRACE_DEBUG1("avrc_pars_vendor_cmd() pdu:0x%x", p_result->pdu);
+    AVRC_TRACE_DEBUG("avrc_pars_vendor_cmd() pdu:0x%x", p_result->pdu);
     if (!AVRC_IsValidAvcType (p_result->pdu, p_msg->hdr.ctype))
     {
-        AVRC_TRACE_DEBUG0("avrc_pars_vendor_cmd() detects wrong AV/C type!");
+        AVRC_TRACE_DEBUG("avrc_pars_vendor_cmd() detects wrong AV/C type!");
         status = AVRC_STS_BAD_CMD;
     }
 
@@ -101,6 +109,12 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
             status = AVRC_STS_INTERNAL_ERR;
             break;
         }
+
+        if (p_result->get_cur_app_val.num_attr > AVRC_MAX_APP_ATTR_SIZE) {
+          android_errorWriteLog(0x534e4554, "63146237");
+          p_result->get_cur_app_val.num_attr = AVRC_MAX_APP_ATTR_SIZE;
+        }
+
         p_u8 = p_result->get_cur_app_val.attrs;
         for (xx=0, yy=0; xx< p_result->get_cur_app_val.num_attr; xx++)
         {
@@ -132,14 +146,14 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
             }
             if (xx != p_result->set_app_val.num_val)
             {
-                AVRC_TRACE_ERROR2("AVRC_PDU_SET_PLAYER_APP_VALUE not enough room:%d orig num_val:%d",
+                AVRC_TRACE_ERROR("AVRC_PDU_SET_PLAYER_APP_VALUE not enough room:%d orig num_val:%d",
                     xx, p_result->set_app_val.num_val);
                 p_result->set_app_val.num_val = xx;
             }
         }
         else
         {
-            AVRC_TRACE_ERROR0("AVRC_PDU_SET_PLAYER_APP_VALUE NULL decode buffer or bad len");
+            AVRC_TRACE_ERROR("AVRC_PDU_SET_PLAYER_APP_VALUE NULL decode buffer or bad len");
             status = AVRC_STS_INTERNAL_ERR;
         }
         break;
@@ -301,13 +315,13 @@ tAVRC_STS AVRC_ParsCommand (tAVRC_MSG *p_msg, tAVRC_COMMAND *p_result, UINT8 *p_
             break;
 
         default:
-            AVRC_TRACE_ERROR1("AVRC_ParsCommand() unknown opcode:0x%x", p_msg->hdr.opcode);
+            AVRC_TRACE_ERROR("AVRC_ParsCommand() unknown opcode:0x%x", p_msg->hdr.opcode);
             break;
         }
         p_result->cmd.opcode = p_msg->hdr.opcode;
         p_result->cmd.status = status;
     }
-    AVRC_TRACE_DEBUG1("AVRC_ParsCommand() return status:0x%x", status);
+    AVRC_TRACE_DEBUG("AVRC_ParsCommand() return status:0x%x", status);
     return status;
 }