From: Ajay Panicker <apanicke@google.com>
Date: Fri, 2 Feb 2018 09:26:34 +0000 (-0800)
Subject: AVRCP: Initialize buffer for attribute values to be written to
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=7f631604931b655dfc3289902bfbed76c71c00e3;p=android-x86%2Fsystem-bt.git

AVRCP: Initialize buffer for attribute values to be written to

Test: Build
Bug: 71603553
Change-Id: I978270605cfaa3b833d6c19f1b1d2cd5a82ac079
(cherry picked from commit e36d6f8edceed860929901b6c49c1964a1ac563f)
(cherry picked from commit 1696f97011f5f30f1a630f3b24442ca64232b1f5)
---

diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c
index 3e6d27a02..47413d35d 100644
--- a/stack/avrc/avrc_pars_ct.c
+++ b/stack/avrc/avrc_pars_ct.c
@@ -282,7 +282,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
 
     case AVRC_PDU_GET_PLAYER_APP_ATTR_TEXT:
     {
-        tAVRC_APP_SETTING_TEXT   *p_setting_text;
         UINT8                    num_attrs;
 
         if (len == 0)
@@ -291,9 +290,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
             break;
         }
         BE_STREAM_TO_UINT8(num_attrs, p);
+        if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) {
+            num_attrs = AVRC_MAX_APP_ATTR_SIZE;
+        }
         AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_app_attr_txt.num_attr);
         p_result->get_app_attr_txt.num_attr = num_attrs;
-        p_setting_text = (tAVRC_APP_SETTING_TEXT*)osi_malloc(num_attrs * sizeof(tAVRC_APP_SETTING_TEXT));
+        p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc(num_attrs * sizeof(tAVRC_APP_SETTING_TEXT));
         for (int xx = 0; xx < num_attrs; xx++)
         {
             BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p);
@@ -313,7 +315,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
 
     case AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT:
     {
-        tAVRC_APP_SETTING_TEXT   *p_setting_text;
         UINT8                    num_vals;
 
         if (len == 0)
@@ -322,10 +323,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
             break;
         }
         BE_STREAM_TO_UINT8(num_vals, p);
+        if (num_vals > AVRC_MAX_APP_ATTR_SIZE) {
+            num_vals = AVRC_MAX_APP_ATTR_SIZE;
+        }
         p_result->get_app_val_txt.num_attr = num_vals;
         AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->get_app_val_txt.num_attr);
 
-        p_setting_text = (tAVRC_APP_SETTING_TEXT *)osi_malloc(num_vals * sizeof(tAVRC_APP_SETTING_TEXT));
+        p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT *)osi_malloc(num_vals * sizeof(tAVRC_APP_SETTING_TEXT));
         for (int i = 0; i < num_vals; i++) {
             BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p);
             BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p);