From 656792f010ac12c6e781d45d1f99216bcd23088f Mon Sep 17 00:00:00 2001
From: Zhihai Xu <zhihaixu@google.com>
Date: Wed, 18 Dec 2013 10:06:13 -0800
Subject: [PATCH] read report array out of boundary for BLE HID device.

report array out of boundary when read HID report reference
descriptor for BLE HID device.

bug:12208657
Change-Id: Ic60fd7555045f367b4fcd606510f52f60e36995e
---
 bta/hh/bta_hh_le.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/bta/hh/bta_hh_le.c b/bta/hh/bta_hh_le.c
index 0201be7d4..d96886150 100644
--- a/bta/hh/bta_hh_le.c
+++ b/bta/hh/bta_hh_le.c
@@ -639,6 +639,8 @@ void bta_hh_le_read_rpt_ref_descr(tBTA_HH_DEV_CB *p_dev_cb, tBTA_HH_LE_RPT *p_rp
 
     while (p_rpt != NULL)
     {
+        if (!p_rpt->in_use) break;
+
         if (p_rpt->rpt_type == BTA_HH_RPTT_INPUT)
         {
             /* is battery report */
@@ -719,9 +721,10 @@ void bta_hh_le_save_rpt_ref(tBTA_HH_DEV_CB *p_dev_cb, tBTA_HH_LE_RPT  *p_rpt,
 #endif
     }
 
-    if (p_rpt->index < BTA_HH_LE_RPT_MAX)
+    if (p_rpt->index < BTA_HH_LE_RPT_MAX - 1)
         p_rpt ++;
-
+    else
+        p_rpt = NULL;
     /* read next report reference descriptor  */
     bta_hh_le_read_rpt_ref_descr(p_dev_cb, p_rpt);
 
-- 
2.11.0