From 8a6fb368847794adb2365f91aa60a36a61d02607 Mon Sep 17 00:00:00 2001
From: Ajay Panicker <apanicke@google.com>
Date: Fri, 2 Feb 2018 01:11:37 -0800
Subject: [PATCH] DO NOT MERGE: AVRCP: Check number of text attribute values in
 response

Test: Build
Bug: 71603410
Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2
---
 stack/avrc/avrc_pars_ct.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c
index 80c5c7dde..b665b8d3a 100644
--- a/stack/avrc/avrc_pars_ct.c
+++ b/stack/avrc/avrc_pars_ct.c
@@ -265,6 +265,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
         tAVRC_APP_SETTING *app_sett =
             (tAVRC_APP_SETTING*)osi_malloc(p_result->get_cur_app_val.num_val*sizeof(tAVRC_APP_SETTING));
         AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_cur_app_val.num_val);
+
+
+        if (p_result->get_cur_app_val.num_val > AVRC_MAX_APP_ATTR_SIZE) {
+            android_errorWriteLog(0x534e4554, "63146237");
+            p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE;
+        }
+
         for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++)
         {
             BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p);
-- 
2.11.0