mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-14 18:34:30 -05:00
45 lines
1.9 KiB
Diff
45 lines
1.9 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Ted Wang <tedwang@google.com>
|
||
|
Date: Thu, 13 Jan 2022 15:00:32 +0800
|
||
|
Subject: [PATCH] Security fix OOB read due to invalid count in
|
||
|
stack/avrc/avrc_pars_ct
|
||
|
|
||
|
Bug: 205837191
|
||
|
Tag: #security
|
||
|
Test: PoC test program
|
||
|
Ignore-AOSP-First: Security
|
||
|
Change-Id: I7b5bcb6551a8c0c015566327e13ba719271ce374
|
||
|
Merged-In: I7b5bcb6551a8c0c015566327e13ba719271ce374
|
||
|
(cherry picked from commit 60a5d2f63bf95ed386a2ca6c43f1d88bb1d07003)
|
||
|
Merged-In:I7b5bcb6551a8c0c015566327e13ba719271ce374
|
||
|
---
|
||
|
stack/avrc/avrc_pars_ct.cc | 8 ++++++++
|
||
|
1 file changed, 8 insertions(+)
|
||
|
|
||
|
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
|
||
|
index f3483d7fe..ef5aa1647 100644
|
||
|
--- a/stack/avrc/avrc_pars_ct.cc
|
||
|
+++ b/stack/avrc/avrc_pars_ct.cc
|
||
|
@@ -543,6 +543,10 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
||
|
p_result->get_caps.capability_id,
|
||
|
p_result->get_caps.count);
|
||
|
if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) {
|
||
|
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
|
||
|
+ android_errorWriteLog(0x534e4554, "205837191");
|
||
|
+ return AVRC_STS_INTERNAL_ERR;
|
||
|
+ }
|
||
|
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
|
||
|
if (len < min_len) goto length_error;
|
||
|
for (int xx = 0; ((xx < p_result->get_caps.count) &&
|
||
|
@@ -552,6 +556,10 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
|
||
|
}
|
||
|
} else if (p_result->get_caps.capability_id ==
|
||
|
AVRC_CAP_EVENTS_SUPPORTED) {
|
||
|
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID) {
|
||
|
+ android_errorWriteLog(0x534e4554, "205837191");
|
||
|
+ return AVRC_STS_INTERNAL_ERR;
|
||
|
+ }
|
||
|
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
|
||
|
if (len < min_len) goto length_error;
|
||
|
for (int xx = 0; ((xx < p_result->get_caps.count) &&
|