Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 05:35:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
84a84c4742
DivestOS/Patches/LineageOS-20.0/ASB2023-09/bt-03.patch
Tad 964877bbf6
20.0: September ASB picks 
wget b96ee4a2d1.patch -O telephony-01.patch
wget c16e6e78c1.patch -O media-01.patch
wget d5771450d7.patch -O media-02.patch
wget a1370bd00c.patch -O nn-01.patch
wget ce2776f4ca.patch -O bt-01.patch
wget 585f583ef5.patch -O bt-02.patch
wget c9905e7968.patch -O bt-03.patch
wget c93ec045f5.patch -O bt-04.patch
wget 89fb17d172.patch -O bt-05.patch
wget 14aed2455e.patch -O bt-06.patch
wget cd438ebc52.patch -O bt-07.patch
wget 27e7cdc4e5.patch -O nfc-01.patch
wget dfeb4270b8.patch -O launcher-01.patch
wget b1993f6cec.patch -O native-01.patch
wget df4a9362cd.patch -O fwb-01.patch
wget b55563bb9d.patch -O fwb-02.patch
wget a80971a281.patch -O fwb-03.patch
wget 7e173b4383.patch -O fwb-04.patch
wget 44191b1c6b.patch -O fwb-05.patch
wget 8dc8dfe572.patch -O fwb-06.patch
wget 00a4224100.patch -O av-01.patch
wget 21623d1f43.patch -O settings-01.patch
wget fa5ec443d9.patch -O settings-02.patch
wget ba4da9c7b3.patch -O settings-03.patch

Signed-off-by: Tad <tad@spotco.us>
2023-09-06 15:42:52 -04:00

38 lines
1.6 KiB
Diff
Raw Blame History

From c9905e7968f603014d8ebd631393f9ba1ffd98c9 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 10 May 2023 23:34:20 +0000
Subject: [PATCH] Fix an integer overflow bug in avdt_msg_asmbl
Bug: 280633699
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bf9449a704c2983861dbe0ede9ab660e42826179)
Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
---
system/stack/avdt/avdt_msg.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/system/stack/avdt/avdt_msg.cc b/system/stack/avdt/avdt_msg.cc
index f9f3f7e1e0..0baf5f1f35 100644
--- a/system/stack/avdt/avdt_msg.cc
+++ b/system/stack/avdt/avdt_msg.cc
@@ -1285,14 +1285,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
* NOTE: The buffer is allocated above at the beginning of the
* reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
*/
- uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
+ size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
/* adjust offset and len of fragment for header byte */
p_buf->offset += AVDT_LEN_TYPE_CONT;
p_buf->len -= AVDT_LEN_TYPE_CONT;
/* verify length */
- if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {
+ if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) {
/* won't fit; free everything */
AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);
osi_free_and_reset((void**)&p_ccb->p_rx_msg);
Reference in New Issue View Git Blame Copy Permalink