From: Hansong Zhang <hsz@google.com>
Date: Mon, 6 Aug 2018 21:40:37 +0000 (-0700)
Subject: Fix OOB read in avrc_ctrl_pars_vendor_rsp
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=31cf761383b47790fa2f5958fdd9d6451fe1ce2b;p=android-x86%2Fsystem-bt.git

Fix OOB read in avrc_ctrl_pars_vendor_rsp

Bug: 78526423
Test: manual
Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91
(cherry picked from commit d945ada503ed9c9ea24e092df51faba57f5d589a)
---

diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c
index d79d85b90..e68136e77 100644
--- a/stack/avrc/avrc_pars_ct.c
+++ b/stack/avrc/avrc_pars_ct.c
@@ -251,6 +251,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
             break;
         }
         BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p);
+        if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE)
+        {
+            android_errorWriteLog(0x534e4554, "78526423");
+            p_result->list_app_values.num_val = AVRC_MAX_APP_ATTR_SIZE;
+        }
+
         AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->list_app_values.num_val);
         for(int xx = 0; xx < p_result->list_app_values.num_val; xx++)
         {