From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Brian Delwiche Date: Tue, 27 Sep 2022 22:05:08 +0000 Subject: [PATCH] Add bounds check in avdt_scb_act.cc Bug: 242535997 Test: BT unit tests, validated against researcher POC Tag: #security Ignore-AOSP-First: Security Change-Id: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 (cherry picked from commit eca4a3cdb0da240496341f546a57397434ec85dd) Merged-In: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 --- stack/avdt/avdt_scb_act.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c index f61abd626..5537c3d1d 100644 --- a/stack/avdt/avdt_scb_act.c +++ b/stack/avdt/avdt_scb_act.c @@ -1295,6 +1295,12 @@ void avdt_scb_hdl_write_req_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data) /* Add RTP header if required */ if ( !(p_data->apiwrite.opt & AVDT_DATA_OPT_NO_RTP) ) { + if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) + { + android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0); + return; + } + ssrc = avdt_scb_gen_ssrc(p_scb); p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;