HFP: Fix out of bound access in phone number processing

* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
  method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
  PhoneStateChange method

Bug: 79431031
Bug: 79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit 820b4327b1359fb1b389e07fc0f8c5e1304a7bfa)

diff --git a/btif/src/btif_hf.cc b/btif/src/btif_hf.cc
index 9ec6da8..01a7a44 100644 (file)
--- a/btif/src/btif_hf.cc
+++ b/btif/src/btif_hf.cc
@@ -33,6 +33,7 @@
 
 #include <hardware/bluetooth.h>
 #include <hardware/bt_hf.h>
+#include <log/log.h>
 
 #include "bta/include/utl.h"
 #include "bta_ag_api.h"
@@ -1198,13 +1199,20 @@ static bt_status_t clcc_response(int index, bthf_call_direction_t dir,
           dialnum[newidx++] = '+';
         }
         for (size_t i = 0; number[i] != 0; i++) {
+          if (newidx >= (sizeof(dialnum) - res_strlen - 1)) {
+            android_errorWriteLog(0x534e4554, "79266386");
+            break;
+          }
           if (utl_isdialchar(number[i])) {
             dialnum[newidx++] = number[i];
           }
         }
         dialnum[newidx] = 0;
-        snprintf(&ag_res.str[res_strlen], rem_bytes, ",\"%s\",%d", dialnum,
-                 type);
+        // Reserve 5 bytes for ["][,][3_digit_type]
+        snprintf(&ag_res.str[res_strlen], rem_bytes - 5, ",\"%s", dialnum);
+        std::stringstream remaining_string;
+        remaining_string << "\"," << type;
+        strncat(&ag_res.str[res_strlen], remaining_string.str().c_str(), 5);
       }
     }
     BTA_AgResult(btif_hf_cb[idx].handle, BTA_AG_CLCC_RES, &ag_res);
@@ -1357,6 +1365,13 @@ static bt_status_t phone_state_change(int num_active, int num_held,
           else
             xx = snprintf(ag_res.str, sizeof(ag_res.str), "\"%s\"", number);
           ag_res.num = type;
+          // 5 = [,][3_digit_type][null_terminator]
+          if (xx > static_cast<int>(sizeof(ag_res.str) - 5)) {
+            android_errorWriteLog(0x534e4554, "79431031");
+            xx = sizeof(ag_res.str) - 5;
+            // Null terminating the string
+            memset(&ag_res.str[xx], 0, 5);
+          }
 
           if (res == BTA_AG_CALL_WAIT_RES)
             snprintf(&ag_res.str[xx], sizeof(ag_res.str) - xx, ",%d", type);