From 690001ab02353b01a2561199ef58079999a0b3da Mon Sep 17 00:00:00 2001
From: Marie Janssen <jamuraa@google.com>
Date: Thu, 12 May 2016 15:30:16 -0700
Subject: [PATCH] DO NOT MERGE btif: check overflow on create_pbuf size

Bug: 27930580
Change-Id: Ieb1f23f9a8a937b21f7c5eca92da3b0b821400e6
(cherry picked from commit 514139f4b40cbb035bb92f3e24d5a389d75db9e6)
---
 btif/src/btif_hh.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/btif/src/btif_hh.c b/btif/src/btif_hh.c
index a4057cca5..1799b3c48 100644
--- a/btif/src/btif_hh.c
+++ b/btif/src/btif_hh.c
@@ -36,6 +36,8 @@
 #include <string.h>
 #include <unistd.h>
 
+#include <cutils/log.h>
+
 #include "bta_api.h"
 #include "btif_common.h"
 #include "btif_storage.h"
@@ -247,7 +249,12 @@ static void toggle_os_keylockstates(int fd, int changedlockstates)
 *******************************************************************************/
 static BT_HDR *create_pbuf(UINT16 len, UINT8 *data)
 {
-    BT_HDR* p_buf = osi_malloc(len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR));
+    UINT16 buflen = (UINT16) (len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR));
+    if (buflen < len) {
+      android_errorWriteWithInfoLog(0x534e4554, "28672558", -1, NULL, 0);
+      return NULL;
+    }
+    BT_HDR* p_buf = osi_malloc(buflen);
     UINT8* pbuf_data;
 
     p_buf->len = len;
-- 
2.11.0