mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-09-14 13:31:58 +00:00
59bf3b75c7
https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/353117 https://review.lineageos.org/q/topic:Q_asb_2023-03 https://review.lineageos.org/q/topic:Q_asb_2023-04 https://review.lineageos.org/q/topic:Q_asb_2023-05 https://review.lineageos.org/q/topic:Q_asb_2023-06 https://review.lineageos.org/q/topic:Q_asb_2023-07 https://review.lineageos.org/q/topic:Q_asb_2023-08 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376560 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376561 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376562 https://review.lineageos.org/q/topic:Q_asb_2023-09 https://review.lineageos.org/q/topic:Q_asb_2023-10 https://review.lineageos.org/q/topic:Q_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376563 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_webp/+/376568 https://review.lineageos.org/q/topic:Q_asb_2023-12 https://review.lineageos.org/q/topic:Q_asb_2024-01 https://review.lineageos.org/q/topic:Q_asb_2024-02 https://review.lineageos.org/q/topic:Q_asb_2024-03 Signed-off-by: Tavi <tavi@divested.dev>
50 lines
1.6 KiB
Diff
50 lines
1.6 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Mayank Madhukar <quic_mmadhuka@quicinc.com>
|
|
Date: Thu, 14 Jul 2022 15:33:53 +0530
|
|
Subject: [PATCH] AVDTP: Fix a potential overflow about the media payload
|
|
offset
|
|
|
|
This variable is uint16, and is possible to overflow when the length of
|
|
header extension is larger. Here we compare with the data length to
|
|
prevent any exceptions.
|
|
|
|
Change-Id: If55d77132e893d6856c9f4ccc42d24a6e7cafe29
|
|
CRs-Fixed: 3237187
|
|
---
|
|
stack/avdt/avdt_scb_act.cc | 13 +++++++++----
|
|
1 file changed, 9 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
|
|
index 130f44ab1..568575458 100644
|
|
--- a/stack/avdt/avdt_scb_act.cc
|
|
+++ b/stack/avdt/avdt_scb_act.cc
|
|
@@ -277,19 +277,24 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
|
|
if (offset > len) goto length_error;
|
|
p += 2;
|
|
BE_STREAM_TO_UINT16(ex_len, p);
|
|
- offset += ex_len * 4;
|
|
p += ex_len * 4;
|
|
}
|
|
|
|
+ if ((p - p_start) > len) {
|
|
+ android_errorWriteLog(0x534e4554, "142546355");
|
|
+ osi_free_and_reset((void**)&p_data->p_pkt);
|
|
+ return;
|
|
+ }
|
|
+ offset = p - p_start;
|
|
+
|
|
/* adjust length for any padding at end of packet */
|
|
if (o_p) {
|
|
/* padding length in last byte of packet */
|
|
- pad_len = *(p_start + p_data->p_pkt->len);
|
|
+ pad_len = *(p_start + len);
|
|
}
|
|
|
|
/* do sanity check */
|
|
- if ((offset > p_data->p_pkt->len) ||
|
|
- ((pad_len + offset) > p_data->p_pkt->len)) {
|
|
+ if (pad_len > (len - offset)) {
|
|
AVDT_TRACE_WARNING("Got bad media packet");
|
|
osi_free_and_reset((void**)&p_data->p_pkt);
|
|
}
|