OSDN Git Service
(root)
/
android-x86
/
system-bt.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
052a5de
)
RESTRICT AUTOMERGE Security fix OOB read vuln stack/avrc/avrc_pars_tg
author
Chris Manton
<cmanton@google.com>
Wed, 24 Mar 2021 16:11:26 +0000
(09:11 -0700)
committer
Chris Manton
<cmanton@google.com>
Tue, 29 Jun 2021 00:12:44 +0000
(
00:12
+0000)
Bug:
168712382
Tag: #security
Test: gd/cert/run
Ignore-AOSP-First: Security
Change-Id: Iae823e45675d46d8ca037157e516cc2f94fadfab
stack/avrc/avrc_pars_tg.cc
patch
|
blob
|
history
diff --git
a/stack/avrc/avrc_pars_tg.cc
b/stack/avrc/avrc_pars_tg.cc
index
db13bd5
..
c59c18d
100644
(file)
--- a/
stack/avrc/avrc_pars_tg.cc
+++ b/
stack/avrc/avrc_pars_tg.cc
@@
-119,6
+119,13
@@
static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg,
if (p_msg->vendor_len == 0) return AVRC_STS_NO_ERROR;
if (p_msg->p_vendor_data == NULL) return AVRC_STS_INTERNAL_ERR;
+ if (p_msg->vendor_len < 4) {
+ android_errorWriteLog(0x534e4554, "168712382");
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+ __func__, p_msg->vendor_len);
+ return AVRC_STS_INTERNAL_ERR;
+ }
+
p = p_msg->p_vendor_data;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);