From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Brian Delwiche Date: Tue, 27 Sep 2022 22:05:08 +0000 Subject: [PATCH] Add bounds check in avdt_scb_act.cc Bug: 242535997 Test: BT unit tests, validated against researcher POC Tag: #security Ignore-AOSP-First: Security Change-Id: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 (cherry picked from commit eca4a3cdb0da240496341f546a57397434ec85dd) Merged-In: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 --- stack/avdt/avdt_scb_act.cc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc index 5e0e98d80..ea9c0bceb 100644 --- a/stack/avdt/avdt_scb_act.cc +++ b/stack/avdt/avdt_scb_act.cc @@ -957,6 +957,11 @@ void avdt_scb_hdl_write_req(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { /* Build a media packet, and add an RTP header if required. */ if (add_rtp_header) { + if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) { + android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0); + return; + } + ssrc = avdt_scb_gen_ssrc(p_scb); p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;