mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
082bc48c32
https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Brian Delwiche <delwiche@google.com>
|
|
Date: Thu, 27 Apr 2023 20:43:58 +0000
|
|
Subject: [PATCH] Fix potential abort in btu_av_act.cc
|
|
|
|
Partner analysis shows that bta_av_rc_msg does not respect handling
|
|
established for a null browse packet, instead dispatching the null
|
|
pointer to bta_av_rc_free_browse_msg. Strictly speaking this does
|
|
not cause a UAF, as osi_free_and_reset will find the null and abort,
|
|
but it will lead to improper program termination.
|
|
|
|
Handle the case instead.
|
|
|
|
Bug: 269253349
|
|
Test: atest bluetooth_test_gd_unit
|
|
Tag: #security
|
|
Ignore-AOSP-First: Security
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9)
|
|
Merged-In: I4df7045798b663fbefd7434288dc9383216171a7
|
|
Change-Id: I4df7045798b663fbefd7434288dc9383216171a7
|
|
---
|
|
bta/av/bta_av_act.cc | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
|
|
index 112645ecf..0cd7b5d00 100644
|
|
--- a/bta/av/bta_av_act.cc
|
|
+++ b/bta/av/bta_av_act.cc
|
|
@@ -997,7 +997,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) {
|
|
av.remote_cmd.rc_handle = p_data->rc_msg.handle;
|
|
(*p_cb->p_cback)(evt, &av);
|
|
/* If browsing message, then free the browse message buffer */
|
|
- bta_av_rc_free_browse_msg(p_cb, p_data);
|
|
+ if (p_data->rc_msg.opcode == AVRC_OP_BROWSE &&
|
|
+ p_data->rc_msg.msg.browse.p_browse_pkt != NULL) {
|
|
+ bta_av_rc_free_browse_msg(p_cb, p_data);
|
|
+ }
|
|
}
|
|
}
|
|
|