From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Brian Delwiche Date: Thu, 27 Apr 2023 20:43:58 +0000 Subject: [PATCH] Fix potential abort in btu_av_act.cc Partner analysis shows that bta_av_rc_msg does not respect handling established for a null browse packet, instead dispatching the null pointer to bta_av_rc_free_browse_msg. Strictly speaking this does not cause a UAF, as osi_free_and_reset will find the null and abort, but it will lead to improper program termination. Handle the case instead. Bug: 269253349 Test: atest bluetooth_test_gd_unit Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9) Merged-In: I4df7045798b663fbefd7434288dc9383216171a7 Change-Id: I4df7045798b663fbefd7434288dc9383216171a7 --- bta/av/bta_av_act.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc index 8809abed3..9f97b453a 100644 --- a/bta/av/bta_av_act.cc +++ b/bta/av/bta_av_act.cc @@ -1005,7 +1005,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) { av.remote_cmd.rc_handle = p_data->rc_msg.handle; (*p_cb->p_cback)(evt, &av); /* If browsing message, then free the browse message buffer */ - bta_av_rc_free_browse_msg(p_cb, p_data); + if (p_data->rc_msg.opcode == AVRC_OP_BROWSE && + p_data->rc_msg.msg.browse.p_browse_pkt != NULL) { + bta_av_rc_free_browse_msg(p_cb, p_data); + } } }