From: Hansong Zhang <hsz@google.com>
Date: Thu, 21 Jun 2018 23:53:41 +0000 (-0700)
Subject: HIDD: Prevent integer underflow in bta_hd_act
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=74a6392875166698b64b624d12b6d2e404b75d72;p=android-x86%2Fsystem-bt.git

HIDD: Prevent integer underflow in bta_hd_act

Bug: 109757435
Bug: 109757168
Bug: 110846194
Bug: 109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422
---

diff --git a/bta/hd/bta_hd_act.cc b/bta/hd/bta_hd_act.cc
index 75e4ea576..b061d296b 100644
--- a/bta/hd/bta_hd_act.cc
+++ b/bta/hd/bta_hd_act.cc
@@ -36,6 +36,7 @@
 #include "bta_sys.h"
 #include "btm_api.h"
 
+#include "log/log.h"
 #include "osi/include/osi.h"
 
 static void bta_hd_cback(BD_ADDR bd_addr, uint8_t event, uint32_t data,
@@ -504,6 +505,10 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA* p_data) {
   APPL_TRACE_API("%s", __func__);
 
   if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
+    if (len < 1) {
+      android_errorWriteLog(0x534e4554, "109757986");
+      return;
+    }
     ret.report_id = *p_buf;
 
     len--;
@@ -536,15 +541,31 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA* p_data) {
 
   APPL_TRACE_API("%s", __func__);
 
+  uint16_t remaining_len = p_msg->len;
+  if (remaining_len < 1) {
+    android_errorWriteLog(0x534e4554, "109757168");
+    return;
+  }
+
   ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
   p_buf++;
+  remaining_len--;
 
   if (bta_hd_cb.use_report_id) {
+    if (remaining_len < 1) {
+      android_errorWriteLog(0x534e4554, "109757168");
+      return;
+    }
     ret.report_id = *p_buf;
     p_buf++;
+    remaining_len--;
   }
 
   if (rep_size_follows) {
+    if (remaining_len < 2) {
+      android_errorWriteLog(0x534e4554, "109757168");
+      return;
+    }
     ret.buffer_size = *p_buf | (*(p_buf + 1) << 8);
   }
 
@@ -569,11 +590,19 @@ extern void bta_hd_set_report_act(tBTA_HD_DATA* p_data) {
 
   APPL_TRACE_API("%s", __func__);
 
+  if (len < 1) {
+    android_errorWriteLog(0x534e4554, "110846194");
+    return;
+  }
   ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
   p_buf++;
   len--;
 
   if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
+    if (len < 1) {
+      android_errorWriteLog(0x534e4554, "109757435");
+      return;
+    }
     ret.report_id = *p_buf;
 
     len--;