From 8ac773aa5b2ace322a52e27a2231ac63688219de Mon Sep 17 00:00:00 2001 From: Jakub Pawlowski Date: Wed, 2 Oct 2019 15:04:38 +0200 Subject: [PATCH] Fix read out of bounds in BtifAvEvent::DeepCopy Bug: 140768453 Change-Id: Ia05e12382ef78a3e07228d09bcf9347f9976bffd --- bta/av/bta_av_aact.cc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bta/av/bta_av_aact.cc b/bta/av/bta_av_aact.cc index 297bba496..3ecc1e654 100644 --- a/bta/av/bta_av_aact.cc +++ b/bta/av/bta_av_aact.cc @@ -3057,14 +3057,14 @@ void bta_av_open_at_inc(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) { } void offload_vendor_callback(tBTM_VSC_CMPL* param) { - uint8_t status = 0; + tBTA_AV value{0}; uint8_t sub_opcode = 0; if (param->param_len) { APPL_TRACE_DEBUG("%s: param_len = %d status = %d", __func__, param->param_len, param->p_param_buf[0]); - status = param->p_param_buf[0]; + value.status = param->p_param_buf[0]; } - if (status == 0) { + if (value.status == 0) { sub_opcode = param->p_param_buf[1]; APPL_TRACE_DEBUG("%s: subopcode = %d", __func__, sub_opcode); switch (sub_opcode) { @@ -3072,7 +3072,7 @@ void offload_vendor_callback(tBTM_VSC_CMPL* param) { APPL_TRACE_DEBUG("%s: VS_HCI_STOP_A2DP_MEDIA successful", __func__); break; case VS_HCI_A2DP_OFFLOAD_START: - (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status); + (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value); break; default: break; @@ -3081,7 +3081,7 @@ void offload_vendor_callback(tBTM_VSC_CMPL* param) { APPL_TRACE_DEBUG("%s: Offload failed for subopcode= %d", __func__, sub_opcode); if (param->opcode != VS_HCI_A2DP_OFFLOAD_STOP) - (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status); + (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value); } } -- 2.11.0