From 0628a8e7b17e2bc16db13e69259f33b1def495fc Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Wed, 24 Mar 2021 09:11:26 -0700
Subject: [PATCH] RESTRICT AUTOMERGE Security fix OOB read vuln
 stack/avrc/avrc_pars_tg

Bug: 168712382
Tag: #security
Test: gd/cert/run
Ignore-AOSP-First: Security

Change-Id: Iae823e45675d46d8ca037157e516cc2f94fadfab
---
 stack/avrc/avrc_pars_tg.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index db13bd52f..c59c18dee 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -119,6 +119,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg,
   if (p_msg->vendor_len == 0) return AVRC_STS_NO_ERROR;
   if (p_msg->p_vendor_data == NULL) return AVRC_STS_INTERNAL_ERR;
 
+  if (p_msg->vendor_len < 4) {
+    android_errorWriteLog(0x534e4554, "168712382");
+    AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+                       __func__, p_msg->vendor_len);
+    return AVRC_STS_INTERNAL_ERR;
+  }
+
   p = p_msg->p_vendor_data;
   p_result->pdu = *p++;
   AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);
-- 
2.11.0