if (p_cb->p_cmd_buf == NULL)
{
- p_cb->p_cmd_buf = (char *) GKI_getbuf(p_cb->cmd_max_len);
+ if ((p_cb->p_cmd_buf = (char *) GKI_getbuf(p_cb->cmd_max_len)) == NULL)
+ {
+ APPL_TRACE_ERROR("%s: GKI_getbuf() failed allocation", __func__);
+ return;
+ }
p_cb->cmd_pos = 0;
}
#if (BTM_WBS_INCLUDED == TRUE )
tBTA_AG_PEER_CODEC codec_type, codec_sent;
#endif
+ if (p_arg == NULL)
+ {
+ APPL_TRACE_ERROR("%s: p_arg is null, send error and return", __func__);
+ bta_ag_send_error(p_scb, BTA_AG_ERR_INV_CHAR_IN_TSTR);
+ return;
+ }
APPL_TRACE_DEBUG("HFP AT cmd:%d arg_type:%d arg:%d arg:%s", cmd, arg_type,
int_arg, p_arg);
/* coverity[var_deref_model] */
/* false-positive: bta_av_conn_cback only processes AVDT_CONNECT_IND_EVT and AVDT_DISCONNECT_IND_EVT event
* these 2 events always have associated p_data */
- bta_av_conn_cback(handle, bd_addr, event, p_data);
+ if (p_data)
+ {
+ bta_av_conn_cback(handle, bd_addr, event, p_data);
+ }
+ else
+ {
+ APPL_TRACE_ERROR("%s: p_data is null", __func__);
+ }
}
/*******************************************************************************
tBTA_AV_SCB *p_scb;
UINT8 rc_handle; /* connected AVRCP handle */
+ p_scb = NULL;
if(p_rcb->handle != BTA_AV_RC_HANDLE_NONE)
{
if(p_rcb->shdl)
{
- p_scb = bta_av_cb.p_scb[p_rcb->shdl - 1];
+ /* Validate array index*/
+ if ((p_rcb->shdl - 1) < BTA_AV_NUM_STRS)
+ {
+ p_scb = bta_av_cb.p_scb[p_rcb->shdl - 1];
+ }
if(p_scb)
{
APPL_TRACE_DEBUG("bta_av_del_rc shdl:%d, srch:%d rc_handle:%d", p_rcb->shdl,
void bta_av_conn_chg(tBTA_AV_DATA *p_data)
{
tBTA_AV_CB *p_cb = &bta_av_cb;
- tBTA_AV_SCB *p_scb;
+ tBTA_AV_SCB *p_scb = NULL;
tBTA_AV_SCB *p_scbi;
UINT8 mask;
UINT8 conn_msk;
tBTA_AV_RCB *p_rcb, *p_rcb2;
BOOLEAN chk_restore = FALSE;
- p_scb = p_cb->p_scb[index];
-
+ /* Validate array index*/
+ if (index < BTA_AV_NUM_STRS)
+ {
+ p_scb = p_cb->p_scb[index];
+ }
mask = BTA_AV_HNDL_TO_MSK(index);
p_lcb = bta_av_find_lcb(p_data->conn_chg.peer_addr, BTA_AV_LCB_FIND);
conn_msk = 1 << (index + 1);
{
UINT8 inx = (UINT8)p_tle->param;
tBTA_AV_CB *p_cb = &bta_av_cb;
- tBTA_AV_SCB *p_scb = p_cb->p_scb[inx];
+ tBTA_AV_SCB *p_scb = NULL;
tBTA_AV_API_OPEN *p_buf;
-
+ if (inx < BTA_AV_NUM_STRS)
+ {
+ p_scb = p_cb->p_scb[inx];
+ }
if (p_scb)
{
APPL_TRACE_DEBUG("bta_av_acp_sig_timer_cback, coll_mask = 0x%02X", p_scb->coll_mask);
}
else
{
- p_scb = p_cb->p_scb[(p_cb->disc & BTA_AV_HNDL_MSK) - 1];
+ /* Validate array index*/
+ if (((p_cb->disc & BTA_AV_HNDL_MSK) - 1) < BTA_AV_NUM_STRS)
+ {
+ p_scb = p_cb->p_scb[(p_cb->disc & BTA_AV_HNDL_MSK) - 1];
+ }
if (p_scb)
rc_handle = p_scb->rc_handle;
else
tBTA_AV_LCB *p_lcb;
rc_close.rc_handle = BTA_AV_RC_HANDLE_NONE;
+ p_scb = NULL;
APPL_TRACE_DEBUG("bta_av_rc_closed rc_handle:%d", p_msg->handle);
for(i=0; i<BTA_AV_NUM_RCB; i++)
{
APPL_TRACE_DEBUG(" shdl:%d, lidx:%d", p_rcb->shdl, p_rcb->lidx);
if(p_rcb->shdl)
{
- p_scb = bta_av_cb.p_scb[p_rcb->shdl - 1];
+ if ((p_rcb->shdl - 1) < BTA_AV_NUM_STRS)
+ {
+ p_scb = bta_av_cb.p_scb[p_rcb->shdl - 1];
+ }
if(p_scb)
{
bdcpy(rc_close.peer_addr, p_scb->peer_addr);
static void bta_av_sys_rs_cback (tBTA_SYS_CONN_STATUS status,UINT8 id, UINT8 app_id, BD_ADDR peer_addr)
{
int i;
- tBTA_AV_SCB *p_scb;
+ tBTA_AV_SCB *p_scb = NULL;
tBTA_AV_ROLE_RES *p_buf;
UINT8 cur_role;
UINT8 peer_idx = 0;
/* we need to continue opening process for the BTA_AvOpen(). */
if ((bta_av_cb.rs_idx != 0) && (bta_av_cb.rs_idx != peer_idx))
{
- p_scb = bta_av_cb.p_scb[bta_av_cb.rs_idx - 1];
+ if ((bta_av_cb.rs_idx -1) < BTA_AV_NUM_STRS)
+ {
+ p_scb = bta_av_cb.p_scb[bta_av_cb.rs_idx - 1];
+ }
if (p_scb && p_scb->q_tag == BTA_AV_Q_TAG_OPEN)
{
APPL_TRACE_DEBUG ("bta_av_sys_rs_cback: rs_idx(%d), hndl:x%x q_tag: %d",
BTIF_TRACE_DEBUG("%s: event=%s", __FUNCTION__, dump_hf_event(event));
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return;
+ }
+
switch (event)
{
case BTA_AG_ENABLE_EVT:
int idx = btif_hf_idx_by_bdaddr((bt_bdaddr_t *)p_param);
BTIF_TRACE_EVENT("%s: event=%d", __FUNCTION__, event);
+
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return;
+ }
+
switch (event) {
case BTIF_HFP_CB_AUDIO_CONNECTING:
{
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
BTA_AgClose(btif_hf_cb[idx].handle);
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
/* Check if SLC is connected */
if (btif_hf_check_if_slc_connected() != BT_STATUS_SUCCESS)
return BT_STATUS_NOT_READY;
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
BTA_AgAudioClose(btif_hf_cb[idx].handle);
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
if (btif_hf_cb[idx].peer_feat & BTA_AG_PEER_FEAT_VREC)
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
if (btif_hf_cb[idx].peer_feat & BTA_AG_PEER_FEAT_VREC)
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
tBTA_AG_RES_DATA ag_res;
memset(&ag_res, 0, sizeof(tBTA_AG_RES_DATA));
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
tBTA_AG_RES_DATA ag_res;
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
tBTA_AG_RES_DATA ag_res;
tBTA_AG_RES_DATA ag_res;
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
/* Format the response and send */
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
send_at_result((response_code == BTHF_AT_RESPONSE_OK) ? BTA_AG_OK_DONE
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX))
{
tBTA_AG_RES_DATA ag_res;
int idx = btif_hf_idx_by_bdaddr(bd_addr);
+ if ((idx < 0) || (idx >= BTIF_HF_NUM_CB))
+ {
+ BTIF_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
+ return BT_STATUS_FAIL;
+ }
+
BTIF_TRACE_EVENT("%s config is %d", __FUNCTION__,config);
if (config == BTHF_WBS_YES)
BTA_AgSetCodec(btif_hf_cb[idx].handle,BTA_AG_CODEC_MSBC);
if (role == AVCT_INT)
{
/* the link control block must exist before this function is called as INT. */
- if (p_ccb->p_lcb == NULL)
+ if ((p_ccb->p_lcb == NULL) || (p_ccb->p_lcb->allocated == 0))
{
result = AVCT_NOT_OPEN;
}
nsc_mask = AVDT_NSC_SUSPEND;
/* verify every scb */
- for (i = 0, *p_err_code = 0; i < num_seid && *p_err_code == 0; i++)
+ for (i = 0, *p_err_code = 0; (i < num_seid) && (*p_err_code == 0) && (i < AVDT_NUM_SEPS); i++)
{
if ((p_scb = avdt_scb_by_hdl(p_seid[i])) == NULL)
*p_err_code = AVDT_ERR_BAD_STATE;
}
}
- if (i != num_seid)
+ if ((i != num_seid) && (i < AVDT_NUM_SEPS))
{
ret = p_seid[i];
}
AVRC_TRACE_DEBUG ("p_pkt->len(%d) > AVRC_MAX_CTRL_DATA_LEN", p_pkt->len );
p_pkt_new = (BT_HDR *)GKI_getbuf((UINT16)(AVRC_PACKET_LEN + AVCT_MSG_OFFSET
+ BT_HDR_SIZE));
- if (p_pkt_new)
+ if (p_pkt_new && (p_start != NULL))
{
p_fcb->frag_enabled = TRUE;
p_fcb->p_fmsg = p_pkt;
OSDN Git Service
