From 4262b932e487b19d578d79e0120cf03291f44efc Mon Sep 17 00:00:00 2001
From: Pavlin Radoslavov <pavlin@google.com>
Date: Thu, 31 May 2018 11:04:54 -0700
Subject: [PATCH] Add BT_HDR length check for received AVCTP packets

Bug: 79944113
Test: Code compilation
Change-Id: I02c76ab8fad61669394062bf34656ea32f465b6a
---
 stack/avct/avct_bcb_act.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc
index ebfc88674..616976ee9 100644
--- a/stack/avct/avct_bcb_act.cc
+++ b/stack/avct/avct_bcb_act.cc
@@ -69,6 +69,12 @@ static BT_HDR* avct_bcb_msg_asmbl(UNUSED_ATTR tAVCT_BCB* p_bcb, BT_HDR* p_buf) {
   uint8_t* p;
   uint8_t pkt_type;
 
+  if (p_buf->len == 0) {
+    osi_free_and_reset((void**)&p_buf);
+    android_errorWriteLog(0x534e4554, "79944113");
+    return nullptr;
+  }
+
   /* parse the message header */
   p = (uint8_t*)(p_buf + 1) + p_buf->offset;
   pkt_type = AVCT_PKT_TYPE(p);
-- 
2.11.0