From 1d9a58768e6573899c7e80c2b3f52e22f2d8f58b Mon Sep 17 00:00:00 2001 From: Hansong Zhang Date: Wed, 13 Jun 2018 17:33:23 -0700 Subject: [PATCH] DO NOT MERGE AVRC: Copy browse.p_browse_data in btif_av_event_deep_copy p_msg_src->browse.p_browse_data is not copied, but used after the original pointer is freed Bug: 109699112 Test: manual Change-Id: I1d014eb9a8911da6913173a9b11218bf1c89e16e --- btif/src/btif_av.cc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/btif/src/btif_av.cc b/btif/src/btif_av.cc index 4e78fbffc..9d4ddb65a 100644 --- a/btif/src/btif_av.cc +++ b/btif/src/btif_av.cc @@ -1133,6 +1133,14 @@ void btif_av_event_deep_copy(uint16_t event, char* p_dest, char* p_src) { memcpy(p_msg_dest->vendor.p_vendor_data, p_msg_src->vendor.p_vendor_data, p_msg_src->vendor.vendor_len); } + if ((p_msg_src->hdr.opcode == AVRC_OP_BROWSE) && + p_msg_src->browse.p_browse_data && p_msg_src->browse.browse_len) { + p_msg_dest->browse.p_browse_data = + (uint8_t*)osi_calloc(p_msg_src->browse.browse_len); + memcpy(p_msg_dest->browse.p_browse_data, + p_msg_src->browse.p_browse_data, p_msg_src->browse.browse_len); + android_errorWriteLog(0x534e4554, "109699112"); + } } break; @@ -1151,6 +1159,9 @@ static void btif_av_event_free_data(btif_sm_event_t event, void* p_data) { if (av->meta_msg.p_msg->hdr.opcode == AVRC_OP_VENDOR) { osi_free(av->meta_msg.p_msg->vendor.p_vendor_data); } + if (av->meta_msg.p_msg->hdr.opcode == AVRC_OP_BROWSE) { + osi_free(av->meta_msg.p_msg->browse.p_browse_data); + } osi_free_and_reset((void**)&av->meta_msg.p_msg); } } break; -- 2.11.0