Fix OOB in avct_lcb_msg_asmbl

Bug: 78286500
Test: manual
Change-Id: I1b879ce7f34af1b236522e766fd32676a5d6ee46

diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc
index faa098b..eec049d 100644 (file)
--- a/stack/avct/avct_lcb_act.cc
+++ b/stack/avct/avct_lcb_act.cc
@@ -53,6 +53,12 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) {
   uint8_t pkt_type;
   BT_HDR* p_ret;
 
+  if (p_buf->len < 1) {
+    osi_free(p_buf);
+    p_ret = NULL;
+    return p_ret;
+  }
+
   /* parse the message header */
   p = (uint8_t*)(p_buf + 1) + p_buf->offset;
   pkt_type = AVCT_PKT_TYPE(p);