From: Andre Eisenbach <eisenbach@google.com>
Date: Tue, 27 Dec 2016 22:48:34 +0000 (-0800)
Subject: Fix pointer arithmetic in BTA_DmBleCfgFilterCondition
X-Git-Tag: android-x86-8.1-r1~196^2~19^2~42^2~104
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=bced7f0c0b;p=android-x86%2Fsystem-bt.git

Fix pointer arithmetic in BTA_DmBleCfgFilterCondition

Using the pointer to the beginning of a union in a member of the union,
which will then be over-written, is a bad idea(TM).

Bug: 33910711
Test: manual
Change-Id: I0b979e493688bf8c02119a2ef6707d6c8e730dcb
---

diff --git a/bta/dm/bta_dm_api.cc b/bta/dm/bta_dm_api.cc
index f4e9dfd16..3bb378b8d 100644
--- a/bta/dm/bta_dm_api.cc
+++ b/bta/dm/bta_dm_api.cc
@@ -1203,6 +1203,7 @@ void BTA_DmBleCfgFilterCondition(tBTA_DM_BLE_SCAN_COND_OP action,
 
   if (cond_type == BTA_DM_BLE_PF_SRVC_DATA_PATTERN ||
       cond_type == BTA_DM_BLE_PF_MANU_DATA) {
+    p += sizeof(tBTA_DM_BLE_PF_MANU_COND);
     p_cond_param->manu_data.p_pattern = p;
     p_cond_param->manu_data.data_len = p_cond->manu_data.data_len;
     memcpy(p_cond_param->manu_data.p_pattern, p_cond->manu_data.p_pattern,
@@ -1219,12 +1220,14 @@ void BTA_DmBleCfgFilterCondition(tBTA_DM_BLE_SCAN_COND_OP action,
       }
     }
   } else if (cond_type == BTA_DM_BLE_PF_LOCAL_NAME) {
+    p += sizeof(tBTA_DM_BLE_PF_LOCAL_NAME_COND);
     p_cond_param->local_name.p_data = p;
     p_cond_param->local_name.data_len = p_cond->local_name.data_len;
     memcpy(p_cond_param->local_name.p_data, p_cond->local_name.p_data,
            p_cond->local_name.data_len);
   } else if (cond_type == BTM_BLE_PF_SRVC_UUID ||
              cond_type == BTM_BLE_PF_SRVC_SOL_UUID) {
+    p += sizeof(tBTA_DM_BLE_PF_SRVC_PATTERN_COND);
     if (p_cond->srvc_uuid.p_target_addr != NULL) {
       p_cond_param->srvc_uuid.p_target_addr = (tBLE_BD_ADDR*)(p);
       p_cond_param->srvc_uuid.p_target_addr->type =