DO NOT MERGE AVRC: Copy browse.p_browse_data in btif_av_event_deep_copy

p_msg_src->browse.p_browse_data is not copied, but used after the
original pointer is freed

Bug: 109699112
Test: manual
Change-Id: I1d014eb9a8911da6913173a9b11218bf1c89e16e
(cherry picked from commit 1d9a58768e6573899c7e80c2b3f52e22f2d8f58b)

diff --git a/btif/src/btif_av.cc b/btif/src/btif_av.cc
index 14d4444..0178e36 100644 (file)
--- a/btif/src/btif_av.cc
+++ b/btif/src/btif_av.cc
@@ -1180,6 +1180,14 @@ void btif_av_event_deep_copy(uint16_t event, char* p_dest, char* p_src) {
           memcpy(p_msg_dest->vendor.p_vendor_data,
                  p_msg_src->vendor.p_vendor_data, p_msg_src->vendor.vendor_len);
         }
+        if ((p_msg_src->hdr.opcode == AVRC_OP_BROWSE) &&
+            p_msg_src->browse.p_browse_data && p_msg_src->browse.browse_len) {
+          p_msg_dest->browse.p_browse_data =
+              (uint8_t*)osi_calloc(p_msg_src->browse.browse_len);
+          memcpy(p_msg_dest->browse.p_browse_data,
+                 p_msg_src->browse.p_browse_data, p_msg_src->browse.browse_len);
+          android_errorWriteLog(0x534e4554, "109699112");
+        }
       }
       break;
 
@@ -1198,6 +1206,9 @@ static void btif_av_event_free_data(btif_sm_event_t event, void* p_data) {
         if (av->meta_msg.p_msg->hdr.opcode == AVRC_OP_VENDOR) {
           osi_free(av->meta_msg.p_msg->vendor.p_vendor_data);
         }
+        if (av->meta_msg.p_msg->hdr.opcode == AVRC_OP_BROWSE) {
+          osi_free(av->meta_msg.p_msg->browse.p_browse_data);
+        }
         osi_free_and_reset((void**)&av->meta_msg.p_msg);
       }
     } break;